New security requirements for RIAs in 7u51 (January 2014)

Java 7 update 51 (January, 2014) intends to include two security changes designed to enhance authentication and authorization for Rich Internet Applications (Applets and Web Start). The default security slider is being updated in a way that will block RIAs that do not adhere to these requirements.  Note: this only applies to RIAs, and not to Java on server or desktop applications run outside of a browser.

Summary:

  • You are required to sign all RIAs (Applets and Web Start applications).
  • You are required to set the "Permissions" attribute within the Manifest.
  • Your application will be affected if it uses Java started through a web browser. Your application will not be affected if it runs anywhere outside of a web browser.

Complete information can be found within the Java 7 update 51 release notes (here once 7u51 is released in January 2014).

Developers:

 As of 7u51, (January 14, 2014), your RIAs must be updated. The updates required are on the packaging and distribution; no API code changes should be required. The impetus for these changes relates to potential re-purposing of sandboxed applications, whereby placing permissions within a signed JAR prevents modification of your specified permission level.
RIAs must contain two things:

  1. Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed, regardless of its Permissions attributes.
  2. Manifest Attributes
    1. Permissions – Introduced in 7u25, and required as of 7u51. Indicates if the RIA should run within the sandbox or require full-permissions.
    2. Codebase – Introduced in 7u25 and optional/encouraged as of 7u51. Points to the known location of the hosted code (e.g. intranet.example.com).

Sample META-INF/MANIFEST.MF file:

Manifest-Version: 1.0
Created-By: 1.7.0_51
Permissions: sandbox
Codebase: www.java.com java.com

This manifest file is created when the JAR is packaged, either through the default jar command, your build tool, or your IDE.

Sample JNLP for launching a web start application:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="JavaDetection_applet.jnlp">
    <information>
        <title>Java Detection</title>
        <vendor>Oracle Inc.</vendor>
    </information>
    <resources>
        <jar href="JavaDetection.jar" />
    </resources>
    <applet-desc
          name="Java Detection Applet"
         main-class="JavaDetection"
         width="1"
         height="1">
     </applet-desc>
     <update check="background"/>
</jnlp>

Some developers may notice that the <security /> element is missing from the above JNLP. By providing it within the cryptographically signed JAR file, it is no longer necessary within the JNLP for Java 7 update 51 (January 2014).

See the Development and Deployment Of Rich Internet Applications for full details of JNLPs and the deployment toolkit. For instructions on signing code, see the tutorial Lesson: Signing Code and Granting It Permissions.

Desktop Administrators

If you are a desktop administrator managing Java installations across a series of computers, consider using Deployment Rule Sets to whitelist your internal applications. Deployment Rule Sets allow you to certify that an application is known to be trusted and safe, even if you cannot update the application to adhere to these requirements.

Comments:

I am excited by the possibility of using a JavaFX applet in sandbox mode but I have two problems that I would like the JavaFX team to address.

1) I would like FXML to work in sandbox mode when the items are public. Currently it needs reflection and that violates the sandbox.

2) I was unable to use the Jersey client because of the logging which violates the sandbox. Perhaps we could have a REST client that does not need logging?

Thanks

Posted by Hayden Jones on September 09, 2013 at 12:07 PM PDT #

Hayden,
I located and commented on a JavaFX bug about loading FXML from a sandboxed content. The link (account required) is https://javafx-jira.kenai.com/browse/RT-23622#comment-358006

For Jersey, I didn't find a similar bug in https://java.net/jira/browse/JERSEY/ but the threat model for this sandboxed case would be more in terms of socket access than logging. Are you using the jersey-core-client rather than the whole bundle?

Posted by costlow on September 09, 2013 at 04:51 PM PDT #

So this is the killer for our Java projects! Inside a corporate environment it is not possible to know the codebase. Web Start was used to allow easy installation and update of the application using self signed code. So moving to .NET?

Posted by guest on September 18, 2013 at 08:29 AM PDT #

The Codebase attribute that you’re referencing is optional for the precise reason you mention. Many developers or ISVs do not know this ahead of time, so if you don’t know it, you can leave it off. If you do know the deployment location or domain (e.g. *.intranet.example.com) then providing it will limit where the Web Start applications will run. The Permissions attribute will be required because the application author can readily determine that ahead of time.

Posted by costlow on September 18, 2013 at 09:39 AM PDT #

Thanks. So I removed the codebase attribute from all used jar files. But this gives "Missing Codebase manifest attribute for: ..." message in console window.

Posted by guest on September 19, 2013 at 05:49 AM PDT #

Looking at the requirements for Codebase and Permissions manifest attributes.

Will all jars referenced by the applet need to be updated to include the attribute or will it be limited to the jar that contains the applet code? There is a concern that we will have to modify library jars that we do not control.

Posted by Shane on September 19, 2013 at 07:10 AM PDT #

Hi!

Will Oracle Forms deliver new jar Files for this requirements?

Kind regards
Torsten

Posted by Torsten Kleiber on September 26, 2013 at 12:32 AM PDT #

Ridiculous that an applet will need signing only for running in sandbox!
Flash does not need that, Silverlight neither!

What is the reasoning behind it besides that Oracle cannot make the sandbox work reliably?

A lot of very useful unsigned applets (math, physics, etc.) are out there; and they will not run after 7u51 just because "programmers" at Oracle are not able / willing to do their duties?!

Who will use applets in the future, who will pay for a 1 year certificate 200-300$ (besides maybe the large gaming studios)?

Shame on you Oracle for killing such a good platform!

Posted by javadev on September 27, 2013 at 07:24 AM PDT #

There are quite a few great applets out there for math, physics, and other fields. Applications written for this may still be downloaded and executed, or a department within a university can whitelist their RIAs through a Deployment Rule Set.
While certificates are time-boxed, signed artifacts can be timestamped to allow clients to verify signature beyond the certificate expiration. See the note about timestamps at https://blogs.oracle.com/java-platform-group/entry/code_signing_understanding_who_and

Posted by costlow on September 30, 2013 at 01:20 PM PDT #

Even Applets need updates. So a one-year-certificate won't help. In other words, each update of a private Applet or small company will cost $200 because they update maybe once a year.

So Oracle is forcing those people to use JavaScript on client site. And when their developers start using JavaScript, why not use JavaScript on server site? ECMA-Script for servers is quite good. And when starting to redesign the code why continue to use the Oracle database? Why use a product of a company that made all those redesign necessarry? Maybe use some Google Cloud Database?

Currently there are 2 groups in a company that decides which database to use: The management ("Oracle, big company, we heared of it") and developers ("Oracle does what I need and works together with my tools"). The later maybe will tell their management that they can also use a cheaper database because they have to use some new language and tools - .net or JavaScript. They support cheaper databases. Management will like that!

Posted by guest on October 08, 2013 at 04:52 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Science Duke
This blog contains topics related to Java SE, Java Security and Usability. The target audience is developers, sysadmins and architects that build, deploy and manage Java applications. Contributions come from the Java SE Product Management team.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
8
9
10
11
12
13
14
15
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today