Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

Background

Java 7 has security feature enhancements that enables you to manage when and how untrusted Java applications will run if they are included on a web page. The security level setting within the Java Control Panel will determine whether you will be prompted before an untrusted java application is run or application will be blocked .

The latest release of Java 7, Update 51 (7u51)

i. Blocks Self-Signed and Unsigned applets on High Security Setting
ii. Requires Permissions Attribute for High Security Setting
iii. Warns users of missing Permissions Attributes for Medium Security Setting

See Java 7 Release Highlights for changes in each Java release

Information about Security levels in the Java Control Panel can be found here.

See  java security prompt to understand what security prompts are and why you are getting one.

Running nexaweb application in java 1.7u51 and later with High Security Setting

To run a nexaweb application in Java 7 with High Security Setting, follow these steps -

1. Get a certificate issued by a trusted certificate authority to digitally sign the application.
2. Sign all client side jars. MANIFEST.MF files inside the jar file must have required attribute "Permissions". See JAR File Manifest attributes for more information.

Sample ANT task to create client jar with manifest attributes
<macrodef name="create-client-jar">
    <sequential>
		<jar jarfile="@{jar-location}/@{jar-name}"
		basedir="@{class-location}"
		includes="**" 
		excludes="" >
			<manifest>
				<attribute name="Copyright-Notice" value="${copyright.notice}" />
				<attribute name="Application-Name" value="${application.name}"/>
				<attribute name="Codebase" value="${codebase}"/>					
				<attribute name="Permissions" value="${permissions}"/>
				<attribute name="Caller-Allowable-Codebase" value="${caller.allowable.codebase}"/>
				<attribute name="Application-Library-Allowable-Codebase" value="${application.library.allowable.codebase}"/>
			</manifest>
      </jar>
    </sequential>
</macrodef>
Sample ANT task to sign jar
<macrodef name="signJars">
	<sequential>
		<signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true">
			<path>
				<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/>
				<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/>
			</path>
		</signjar>
	</sequential>
</macrodef>

 

3. Sign all nexaweb client jars and update manifest attributes of jars files. Updating Client-Side Jar Manifests for Java 1.7u51 and Later describes how to update manifest attributes.
4. If you are using pack200 compression, See Pack200 document. To compress signed Jars, you need to follow these steps:
                  i. Normalize the JAR file using the --repack option.
                  ii. Sign the normalized JAR file.
                  iii. Pack the signed JAR file generating a .jar.pack.gz file

Sample ANT task to repack and sign 
<macrodef name="repack-and-sign">
		<sequential>
			<echo message="Repacking libs in ${build.dir}/WEB-INF/Nexaweb/client"/>
			<apply executable="pack200" parallel="false">
				<arg value="--repack"/>
				<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" />
			</apply>
			<echo message="Repacking libs in ${build.dir}/WEB-INF/client"/>
			<apply executable="pack200" parallel="false">
				<arg value="--repack"/>
				<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" />
			</apply>
			<echo message="Signing client libs in ${build.dir}/WEB-INF/"/>
			<signjar 
		            alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}"
		            lazy="true">
				<path>
					<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/>
					<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/>
				</path>
			</signjar>
			<echo message="Pack200 after signing"/>
				<apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/Nexaweb/client">
				<arg value="--modification-time=latest"/>
				<arg value="--deflate-hint=true"/>
				<arg value="--segment-limit=-1"/>
				<targetfile/>
				<srcfile/>
				<fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" />
				<mapper type="glob" from="*" to="*.pack.gz" />
			</apply>
			<apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/client">
				<arg value="--modification-time=latest"/>
				<arg value="--deflate-hint=true"/>
				<arg value="--segment-limit=-1"/>
				<targetfile/>
				<srcfile/>
				<fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" />
				<mapper type="glob" from="*" to="*.pack.gz" />
			</apply>
		</sequential>
	</macrodef>

5. Repackage and sign the Nexaweb plugin jars if you are using one. This is to prevent warning dialog that is raised for mixed signed and unsigned component in java 1.6.19 or later. Refer Mixed Signed and Unsigned code warning dialog in Java 1.6u19 and later for steps to repackage and sign nexaweb plugin jars. 

  • No labels