Background
Java 7 has security feature enhancements that enables you to manage when and how untrusted Java applications will run if they are included on a web page. The security level setting within the Java Control Panel will determine whether you will be prompted before an untrusted java application is run or application will be blocked .
The latest release of Java 7, Update 51 (7u51)
i. Blocks Self-Signed and Unsigned applets on High Security Setting
ii. Requires Permissions Attribute for High Security Setting
iii. Warns users of missing Permissions Attributes for Medium Security Setting
See Java 7 Release Highlights for changes in each Java release
Information about Security levels in the Java Control Panel can be found here.
See java security prompt to understand what security prompts are and why you are getting one.
Running nexaweb application in java 1.7u51 and later with High Security Setting
To run a nexaweb application in Java 7 with High Security Setting, follow these steps -
1. Get a certificate issued by a trusted certificate authority to digitally sign the application.
2. Sign all client side jars. MANIFEST.MF files inside the jar file must have required attribute "Permissions". See JAR File Manifest attributes for more information.
<macrodef name="create-client-jar"> <sequential> <jar jarfile="@{jar-location}/@{jar-name}" basedir="@{class-location}" includes="**" excludes="" > <manifest> <attribute name="Copyright-Notice" value="${copyright.notice}" /> <attribute name="Application-Name" value="${application.name}"/> <attribute name="Codebase" value="${codebase}"/> <attribute name="Permissions" value="${permissions}"/> <attribute name="Caller-Allowable-Codebase" value="${caller.allowable.codebase}"/> <attribute name="Application-Library-Allowable-Codebase" value="${application.library.allowable.codebase}"/> </manifest> </jar> </sequential> </macrodef>
<macrodef name="signJars"> <sequential> <signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true"> <path> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/> </path> </signjar> </sequential> </macrodef>
3. Sign all nexaweb client jars and update manifest attributes of jars files. Updating Client-Side Jar Manifests for Java 1.7u51 and Later describes how to update manifest attributes.
4. If you are using pack200 compression, See Pack200 document. To compress signed Jars, you need to follow these steps:
i. Normalize the JAR file using the --repack option.
ii. Sign the normalized JAR file.
iii. Pack the signed JAR file generating a .jar.pack.gz file
<macrodef name="repack-and-sign"> <sequential> <echo message="Repacking libs in ${build.dir}/WEB-INF/Nexaweb/client"/> <apply executable="pack200" parallel="false"> <arg value="--repack"/> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" /> </apply> <echo message="Repacking libs in ${build.dir}/WEB-INF/client"/> <apply executable="pack200" parallel="false"> <arg value="--repack"/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" /> </apply> <echo message="Signing client libs in ${build.dir}/WEB-INF/"/> <signjar alias="${keystore.alias}" keystore="${keystore.file}" storepass="${keystore.password}" lazy="true"> <path> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar"/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar"/> </path> </signjar> <echo message="Pack200 after signing"/> <apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/Nexaweb/client"> <arg value="--modification-time=latest"/> <arg value="--deflate-hint=true"/> <arg value="--segment-limit=-1"/> <targetfile/> <srcfile/> <fileset dir="${build.dir}/WEB-INF/Nexaweb/client" includes="**/*.jar" /> <mapper type="glob" from="*" to="*.pack.gz" /> </apply> <apply executable="pack200" parallel="false" dest="${build.dir}/WEB-INF/client"> <arg value="--modification-time=latest"/> <arg value="--deflate-hint=true"/> <arg value="--segment-limit=-1"/> <targetfile/> <srcfile/> <fileset dir="${build.dir}/WEB-INF/client" includes="**/*.jar" /> <mapper type="glob" from="*" to="*.pack.gz" /> </apply> </sequential> </macrodef>
5. Repackage and sign the Nexaweb plugin jars if you are using one. This is to prevent warning dialog that is raised for mixed signed and unsigned component in java 1.6.19 or later. Refer Mixed Signed and Unsigned code warning dialog in Java 1.6u19 and later for steps to repackage and sign nexaweb plugin jars.