7u45 Caller-Allowable-Codebase and Trusted-Library

Java 7 update 45 (October 2013) changed the interactions between JavaScript and Java Applets made through LiveConnect. The 7u45 update is a critical patch update that has also raised the security baseline and users are strongly recommended to upgrade.

Versions below the security baseline used to apply the Trusted-Library Manifest attribute to call between sandboxed code and higher-privileged code. The Trusted-Library value was a Boolean true or false. Security changes for the current security baseline (7u45) introduced a different Caller-Allowable-Codebase that indicates precisely where these LiveConnect calls can originate. For example, LiveConnect calls should not necessarily originate from 3rd party components of a web page or other DOM-based browser manipulations (pdf).

Additional information about these can be located at “JAR File Manifest Attributes for Security.”

The workaround for end-user dialogs is described on the 7u45 release notes, which explains removing the Trusted-Library attribute for LiveConnect calls in favor of Caller-Allowable-Codebase. This provides necessary protections (without warnings) for all users at or above the security baseline. Client installations automatically detect updates to the secure baseline and prompt users to upgrade.

Warning dialogs above or below

Both of these attributes should work together to support the various versions of client installations. We are aware of the issue that modifying the Manifest to use the newer Caller-Allowable-Codebase causes warnings for users below the security baseline and that not doing it displays a warning for users above.

Manifest Attribute 7u45 7u40 and below
Only Caller-Allowable-Codebase No dialog Displays prompt
Only Trusted-Library Displays prompt No dialog
Both Displays prompt (*) No dialog
This will be fixed in a future release so that both attributes can co-exist.

The current work-around would be to favor using Caller-Allowable-Codebase over the old Trusted-Library call.

For users who need to stay below the security baseline

System Administrators that schedule software deployments across managed computers may consider applying a Deployment Rule Set as described in Option 1 of “What to do if your applet is blocked or warns of mixed code.”

System Administrators may also sign up for email notifications of Critical Patch Updates.

Comments:

Your matrix is not complete, because 7u40 and below will not prompt a warning dialog with only trusted-Library, BUT it will block liveconnect due to security settings (silent message in the console), because of the baseline restrictions

Posted by guest on October 21, 2013 at 02:57 AM PDT #

It's great that this will be fixed in a future release. Once you know *which* release will contain the fix, it would be a big help if you could post that information here.

Posted by guest on October 21, 2013 at 06:55 AM PDT #

Thank you for providing information about some news here, but what we need is an useful solution for the problem to built an applet for all versions without prompting a warning. We have some signed applets (not selfsigned) with "Trusted-Library: true". Since 7u45 everyone with 7u21-7u40 gets the silent console warning about liveconnect blocked (security settings high - default) and the applets won't work correctly. 7u45 needs "Caller-Allowable-Codebase: *" without "Trusted-Library: true", but with that, the older versions show a warning. Changing the security settings or adding a rule set is not an option, because of the amount of (server-)installations and there are thousands of clients with different jre installations. So please tell me, how to build an applet which uses liveconnect and works with different runtimes in standard setup without prompting a warning. Please remember, before 7u45, it was possible. And will it still work with 7u51 or later?

Posted by guest on October 22, 2013 at 01:29 AM PDT #

By

"This will be fixed in a future release so that both attributes can co-exist.",

does this mean that there will no longer be a security warning prompt in the next releases, or just that both parameters will be serving their purpose if set, but the warning prompt will still be there?

Posted by SpiderWeb on October 22, 2013 at 03:20 AM PDT #

I agree the matrix should show that java 7u25 and 7u40 with Security baseline upgraded Will (silently?) block Liveconnect calls.

By the way, thanks for the frequent updates of this blog. This is vert different from what was done before and is really appreciated.

Posted by Mathieu Fortin on October 22, 2013 at 05:12 AM PDT #

Please, can you confirm when will be avialable the fix? We are saying our customers to wait until Oracle releases a fix, but If you delay that fix, we will have to make two different applets, one fo <45 and another for >45

Posted by guest on October 22, 2013 at 08:03 AM PDT #

Thanks. I'll check on version information in-between, but the next Critical Patch Update is scheduled for January and will be called 7u51.
I've already posted some information about it at https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias -- please take note and use the Permissions manifest entry along with singing/timestamping as soon as you are able.
Regarding the chart, I see the difference but I'm not sure about how to work the last post about secure baseline/untrusted code into the tabular format.

Posted by costlow on October 23, 2013 at 10:01 AM PDT #

After writing post#1 and post#3 here (silent liveconnect problems) and after continuous reading a lot of your blogs and posts, I still have the problem to built an applet with the right manifest settings to work with 7u21-7u40 (security settings high - default).

Message in console:
"network: Created version ID: 1.7.0.40
network: Created version ID: 1.7.0.45
security: LiveConnect (JavaScript) blocked due to security settings."

So please, can you confirm, that it is not possible to built an signed applet for 7u21-7u40 (below the current security baseline), even with only "Trusted-Library: true", that works with liveconnect using the default security settings?

Posted by volo on October 24, 2013 at 05:35 AM PDT #

This issue causes a major problem for anyone trying to support a Java Applet deployed to multiple customers or sites.

Deployment Rule Sets may provided one answer but rolling this out across hundreds of users for multiple customers isn't realistic in the short term.

Will this issue be fixed as soon as it is available rather than waiting for 7u51 in January?

Also when this is fixed I'm assuming that having both attributes will still show a warning on 7u45?

Posted by guest on November 01, 2013 at 08:41 AM PDT #

This didn't happen in prior releases of JAVA. Installed 7u45 and it started happening. And it doesn't happen when JAVA is running but when I try to close the browser and exit the JAVA app.

There should be a patch release sooner rather than months from now...

Posted by STGdb on November 01, 2013 at 10:36 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Science Duke
This blog contains topics related to Java SE, Java Security and Usability. The target audience is developers, sysadmins and architects that build, deploy and manage Java applications. Contributions come from the Java SE Product Management team.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
8
9
10
11
12
13
14
15
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today