New security requirements for RIAs in 7u51 (January 2014)
By Erik Costlow-Oracle on Sep 09, 2013
Java 7 update 51 (January, 2014) intends to include two security changes designed to enhance authentication and authorization for Rich Internet Applications (Applets and Web Start). The default security slider is being updated in a way that will block RIAs that do not adhere to these requirements. Note: this only applies to RIAs, and not to Java on server or desktop applications run outside of a browser.
- You are required to sign all RIAs (Applets and Web Start applications).
- You are required to set the "Permissions" attribute within the Manifest.
- Your application will be affected if it uses Java started through a web browser. Your application will not be affected if it runs anywhere outside of a web browser.
Complete information can be found within the Java 7 update 51 release notes (here once 7u51 is released in January 2014).
As of 7u51, (January 14, 2014), your RIAs must be updated. The updates required are on the packaging and distribution; no API code changes should be required. The impetus for these changes relates to potential re-purposing of sandboxed applications, whereby placing permissions within a signed JAR prevents modification of your specified permission level.
RIAs must contain two things:
- Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed, regardless of its Permissions attributes.
- Manifest Attributes
- Permissions – Introduced in 7u25, and required as of 7u51. Indicates if the RIA should run within the sandbox or require full-permissions.
- Codebase – Introduced in 7u25 and optional/encouraged as of 7u51. Points to the known location of the hosted code (e.g. intranet.example.com).
Sample META-INF/MANIFEST.MF file:
Manifest-Version: 1.0 Created-By: 1.7.0_51 Permissions: sandbox Codebase: www.java.com java.com
This manifest file is created when the JAR is packaged, either through the default jar command, your build tool, or your IDE.
Sample JNLP for launching a web start application:
<?xml version="1.0" encoding="UTF-8"?> <jnlp href="JavaDetection_applet.jnlp"> <information> <title>Java Detection</title> <vendor>Oracle Inc.</vendor> </information> <resources> <jar href="JavaDetection.jar" /> </resources> <applet-desc name="Java Detection Applet" main-class="JavaDetection" width="1" height="1"> </applet-desc> <update check="background"/> </jnlp>
Some developers may notice that the <security /> element is missing from the above JNLP. By providing it within the cryptographically signed JAR file, it is no longer necessary within the JNLP for Java 7 update 51 (January 2014).
See the Development and Deployment Of Rich Internet Applications for full details of JNLPs and the deployment toolkit. For instructions on signing code, see the tutorial Lesson: Signing Code and Granting It Permissions.
If you are a desktop administrator managing Java installations across a series of computers, consider using Deployment Rule Sets to whitelist your internal applications. Deployment Rule Sets allow you to certify that an application is known to be trusted and safe, even if you cannot update the application to adhere to these requirements.