IMP: Your Java Applets and Web Start Applications Should Be Signed

Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.

certificateThe April 16th, 2013 Critical Patch Update for Java SE (7u21) will change the launch behavior related to running Java Applets and Web Start Applications. Users will be presented with a dialog(s) that will provide additional information to the user who can choose to continue or terminate execution. For the best possible user experience, your Applets and Web Start Applications should be signed. 

What does this mean? Java SE 7u21 will introduce changes to Java browser plug-in behavior, encouraging application authors and vendors to sign code with a certificate from a trusted Certificate Authority. You, as a developer, are strongly encouraged to sign code now in preparation for this release and future releases.

For more information, read Java Applet & Web Start - Code Signing on OTN.

Comments:

i long for the day when our last web application designs java out!

Posted by guest on April 05, 2013 at 10:38 AM PDT #

Current version is Java SE 7 Update 17.
In this article Java SE 7 Update 21 is mentioned.
What about Java SE 7 Update 18 and/or 19?

Posted by guest on April 10, 2013 at 03:01 AM PDT #

The reason that the version increments are in odd or even increments is based on whether the update is critical or not. In this case Oracle is addressing a Security vulnerability which would be critical and explains skipping the even number updates.

Posted by Tori on April 16, 2013 at 01:39 PM PDT #

I am going to try.

Posted by Katsunori Nakamura on April 16, 2013 at 09:22 PM PDT #

it is not clear that what should I do exactly.?

Posted by Mallikaraj on April 19, 2013 at 01:43 AM PDT #

I need to implement web video/audio chat in java urgently, i came to know that JMF is good to implement video chat.
Can you provide some basic implementation pr prototype so i can take help guide.
Please guide me.

Posted by Sumit on April 19, 2013 at 04:02 AM PDT #

I hope this is a temporary change until the holes in the security model are fixed ... getting a CA-signed code-signing certificate is expensive (Thawte used to have a program that could issue a free certificate based on an e-mail address, but it has been closed down) and a hassle, and there's a lot of cool stuff that an applet could do while still respecting the same-origin policy if only the Java platform didn't take so long to load and pop up so many security warnings.

Posted by David L on April 19, 2013 at 05:49 AM PDT #

Sumit,
You should go to the Java Forums to ask technical questions.
https://forums.oracle.com/forums/category.jspa?categoryID=285

Posted by Tori on April 22, 2013 at 11:09 AM PDT #

I will *never* sign my applets. Instead I am converting all of the existing ones into other languages (specifically Javascript and Dart). However, I do find it sad that such a great technology has been killed with decisions like this.

Posted by guest on April 23, 2013 at 08:54 AM PDT #

Thanks

Posted by guest on June 04, 2013 at 12:45 AM PDT #

Actually you can use a self-signed cert just fine. Just import the root/public key into the CACERTS store as well the browse cert store on the clients.

Posted by guest on June 21, 2013 at 04:29 AM PDT #

To clarify, signed applications run in the sandbox. That behavior changed back in 7u25 (April 2013) and there’s an external write-up at http://www.cert.org/blogs/certcc/2013/09/signed_java_applet_security_im.html

If you’re looking to avoid purchasing a code-signing certificates, you can find instructions for self-signing over at https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a

Posted by Tori on January 13, 2014 at 10:45 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Insider News from the Java Team at Oracle!

duke
javeone logo
Links


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
5
6
7
12
13
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today