X

Insights and updates on Java SE and OpenJDK from the Java Platform Group Product Management Team

  • October 18, 2013

7u45 Caller-Allowable-Codebase and Trusted-Library

Java 7 update 45 (October 2013) changed the interactions between JavaScript and Java Applets made through LiveConnect. The 7u45 update is a critical patch update that has also raised the security baseline and users are strongly recommended to upgrade.

Versions below the security baseline used to apply the Trusted-Library Manifest attribute to call between sandboxed code and higher-privileged code. The Trusted-Library value was a Boolean true or false. Security changes for the current security baseline (7u45) introduced a different Caller-Allowable-Codebase that indicates precisely where these LiveConnect calls can originate. For example, LiveConnect calls should not necessarily originate from 3rd party components of a web page or other DOM-based browser manipulations (pdf).

Additional information about these can be located at “JAR File Manifest Attributes for Security.”

The workaround for end-user dialogs is described on the 7u45 release notes, which explains removing the Trusted-Library attribute for LiveConnect calls in favor of Caller-Allowable-Codebase. This provides necessary protections (without warnings) for all users at or above the security baseline. Client installations automatically detect updates to the secure baseline and prompt users to upgrade.

Warning dialogs above or below

Both of these attributes should work together to support the various versions of client installations. We are aware of the issue that modifying the Manifest to use the newer Caller-Allowable-Codebase causes warnings for users below the security baseline and that not doing it displays a warning for users above.

Manifest Attribute 7u45 7u40 and below
Only Caller-Allowable-Codebase No dialog Displays prompt
Only Trusted-Library Displays prompt No dialog
Both Displays prompt (*) No dialog
This will be fixed in a future release so that both attributes can co-exist.

The current work-around would be to favor using Caller-Allowable-Codebase over the old Trusted-Library call.

For users who need to stay below the security baseline

System Administrators that schedule software deployments across managed computers may consider applying a Deployment Rule Set as described in Option 1 of “What to do if your applet is blocked or warns of mixed code.”

System Administrators may also sign up for email notifications of Critical Patch Updates.

Join the discussion

Comments ( 10 )
  • guest Monday, October 21, 2013

    Your matrix is not complete, because 7u40 and below will not prompt a warning dialog with only trusted-Library, BUT it will block liveconnect due to security settings (silent message in the console), because of the baseline restrictions


  • guest Monday, October 21, 2013

    It's great that this will be fixed in a future release. Once you know *which* release will contain the fix, it would be a big help if you could post that information here.


  • guest Tuesday, October 22, 2013

    Thank you for providing information about some news here, but what we need is an useful solution for the problem to built an applet for all versions without prompting a warning. We have some signed applets (not selfsigned) with "Trusted-Library: true". Since 7u45 everyone with 7u21-7u40 gets the silent console warning about liveconnect blocked (security settings high - default) and the applets won't work correctly. 7u45 needs "Caller-Allowable-Codebase: *" without "Trusted-Library: true", but with that, the older versions show a warning. Changing the security settings or adding a rule set is not an option, because of the amount of (server-)installations and there are thousands of clients with different jre installations. So please tell me, how to build an applet which uses liveconnect and works with different runtimes in standard setup without prompting a warning. Please remember, before 7u45, it was possible. And will it still work with 7u51 or later?


  • SpiderWeb Tuesday, October 22, 2013

    By

    "This will be fixed in a future release so that both attributes can co-exist.",

    does this mean that there will no longer be a security warning prompt in the next releases, or just that both parameters will be serving their purpose if set, but the warning prompt will still be there?


  • Mathieu Fortin Tuesday, October 22, 2013

    I agree the matrix should show that java 7u25 and 7u40 with Security baseline upgraded Will (silently?) block Liveconnect calls.

    By the way, thanks for the frequent updates of this blog. This is vert different from what was done before and is really appreciated.


  • guest Tuesday, October 22, 2013

    Please, can you confirm when will be avialable the fix? We are saying our customers to wait until Oracle releases a fix, but If you delay that fix, we will have to make two different applets, one fo <45 and another for >45


  • costlow Wednesday, October 23, 2013

    Thanks. I'll check on version information in-between, but the next Critical Patch Update is scheduled for January and will be called 7u51.

    I've already posted some information about it at https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias -- please take note and use the Permissions manifest entry along with singing/timestamping as soon as you are able.

    Regarding the chart, I see the difference but I'm not sure about how to work the last post about secure baseline/untrusted code into the tabular format.


  • volo Thursday, October 24, 2013

    After writing post#1 and post#3 here (silent liveconnect problems) and after continuous reading a lot of your blogs and posts, I still have the problem to built an applet with the right manifest settings to work with 7u21-7u40 (security settings high - default).

    Message in console:

    "network: Created version ID: 1.7.0.40

    network: Created version ID: 1.7.0.45

    security: LiveConnect (JavaScript) blocked due to security settings."

    So please, can you confirm, that it is not possible to built an signed applet for 7u21-7u40 (below the current security baseline), even with only "Trusted-Library: true", that works with liveconnect using the default security settings?


  • guest Friday, November 1, 2013

    This issue causes a major problem for anyone trying to support a Java Applet deployed to multiple customers or sites.

    Deployment Rule Sets may provided one answer but rolling this out across hundreds of users for multiple customers isn't realistic in the short term.

    Will this issue be fixed as soon as it is available rather than waiting for 7u51 in January?

    Also when this is fixed I'm assuming that having both attributes will still show a warning on 7u45?


  • STGdb Friday, November 1, 2013

    This didn't happen in prior releases of JAVA. Installed 7u45 and it started happening. And it doesn't happen when JAVA is running but when I try to close the browser and exit the JAVA app.

    There should be a patch release sooner rather than months from now...


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content

Oracle

Integrated Cloud Applications & Platform Services