Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Page 2 of 2 FirstFirst 12
Results 26 to 48 of 48

Thread: Running unsigned (Java) applications like this will be blocked in a future release

  1. #26
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    I can't open the ChartApplet.class file because it's a third-party sourced applet.

    I suspect though that the problem is that the code on the site isn't looking for a Jar file, it's looking for the class files. The class files have been deleted to force use of the Jar file but it doesn't look for that and gives the error. Do you think that's possible?

    Thanks for your help here I really appreciate it.

  2. #27
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    can't open the ChartApplet.class file because it's a third-party sourced applet.
    Ask the third party to verify that file.

    What is in the <applet tag in the html?
    If you don't understand my answer, don't ignore it, ask a question.

  3. #28
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    Unfortunately, I can't open the class file because it's a third-party applet. I suspect that what's going on is that I uploaded the Jar file and deleted the class files to force use of the Jar file. Unfortunately, I think the site isn't programmed to use the Jar so I kicks out an error when it tries to find the class file I deleted. It is peculiar though, what kind of professional wouldn't use a Jar file, seems such a weird thing to do. I do wonder if I can sign the class files rather than the Jar. Anyone know if this is possible? Thanks for any help!

  4. #29
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    site isn't programmed to use the Jar
    Its not the site, its the html that controls what the browser asks for. That's why I asked you to post the <applet tag code from the HTML page.
    If you don't understand my answer, don't ignore it, ask a question.

  5. #30
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm I took a look and I found this, I think it's what you're asking for

    <APPLET id="Applet1" codeBase="./" height="500" hspace="0" width="700" align="middle" code="com.java4less.rchart.ChartApplet.class"
    vspace="0" name="TestApplet" >

  6. #31
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    There is NO reference to a jar file there. You need to research how to write the <applet tag to use a jar file.
    If you don't understand my answer, don't ignore it, ask a question.

  7. #32
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    I see. OK, that's fine, I can look into that and see how it's done. Thanks so much for your help. I'd assumed that the coding automatically looked for com.java4less.rchart.ChartApplet.class within the Jar file. I really appreciate this, I'm pretty hopeful I can work that out. I really appreciate your time and patience and I'll get back once it's worked out!

  8. #33
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    just to give you an update, the Jar file now works absolutely fine after a bit of fiddling. Thanks so much for your help on this, I was completely lost as to how to fix it. Now on to the signing!

  9. #34
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Glad you are making progress.
    If you don't understand my answer, don't ignore it, ask a question.

  10. #35
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    just to let you know that the JAR now all works and is signed and uploaded and doing the right things. One odd thing though is that I got a message

    "This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information."

    Reviewing the Jar manifest, it doesn't mention permissions so I guess this is the reason. Googling it, I found permissions could be

    Permissions: all-permissions

    or

    permissions: sandbox

    Other than opening Java, all the data for the charting applet I'm using is downloaded from the website so there are no resources needed from the local computer (so far as I'm aware anyway - it's 3rd party software) so I wonder if I were to put permissions: sandbox it wouldn't need to prompt with the "Do you want to run this application?" message at all to run the applet? People get hung up on security messages! I need to get the JAR file from the 3rd party software provider so I could ask for both a Permissions: all-permissions and permissions: sandbox version I guess.

    Thanks for all the help.

    Andrew

  11. #36
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    I amended the manifest in the jar file myself first to sandbox but it gave an error and invited me to change my java settings. It's for widespead use so I can't have people need to change anything so I revised it to all-permissions and it ran fine. No reference to not having the permissions attribute but still prompting whether the user wants to do this, which is ok.

    So, I'm done, thanks very much for the help here, I really appreciate it, especially Norm who got me on the right track!

  12. #37
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Let us know how it goes in January when Oracle changes all of this.
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

  13. #38
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Kevin

    gulp! What are they going to change now?? I've just recovered from the latest episode of being thrown under a bus by Oracle!

  14. #39
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hey, can anyone tell me what KevinWorkman is referring too when he says "Let us know how it goes in January when Oracle changes all of this. "?

    Thanks..

  15. #40
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    25,042
    Thanks
    63
    Thanked 2,708 Times in 2,658 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    If you don't understand my answer, don't ignore it, ask a question.

  16. #41
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    As well as reply #19 to this thread.
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

  17. #42
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    thanks for the information. I'm pretty fortunate to have a revenue base for what I do so I was able to buy a $95 Comodo code-signing certificate from K-Software which is a very good deal compared to elsewhere. Reading the threads it seems like the issue is that Oracle is pretty much slamming the door on the non-commercial community which is a real crying shame. So much infrastructure that's just going to be demolished. Bit by bit this open level playing field is becoming warped to favor those with the money..

    I think I'm right to say that with a paid code-signing cert I should be ok in January or am I missing something?

    Someone mentioned earlier that we'd need to sign the manifest too soon, but I found the manifest is in my applet is in the JAR file so it's signed already, again, am I missing something?

  18. #43
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Sorry, I didn't realize you already paid for a certificate. In that case, you should be fine.

    But yeah, it's a real shame for novices and hobbyists who can't afford certificates. Deploying with Java has always been a bit of a mess, and this is a nail in the coffin for applets.
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

  19. #44
    Junior Member
    Join Date
    Oct 2013
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I don't know if I'm being unfair to Oracle, but is this all related to the Java security problems that have hit the media over the last couple of years? If applets all had legitimate paid certificates it could put a big chunk of the Java exploiters out of business. ie/ rather than fix its code, Java fixes the user-base. My son says this is an unfair point of view as Java is so widely used. Any views on this?

  20. #45
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,676
    Thanks
    25
    Thanked 329 Times in 305 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I think it's criminal what Oracle is doing. Keep in mind that not all commercial certificates are even natively recognized by java. Some of them will still require you to get your end-user to do something in order to "download" the certificate onto their machine. Basically, the only out-of-the-box commercial certificates will be the ones that Oracle decides are worthy. On top of that, operating systems and/or browsers might have their own list of "approved" CAs, so the "Write once, run anywhere" mantra might not be true if a CA which Oracle doesn't already approve of is not used.
    I think you should be fine with Comodo, but I do not know for sure.

    Also, while I understand where you are coming from when you say paid certificates will deter exploiters, java already provides the security warning about unknown publishers and self-signed applets. From then on, it's up to the user whether or not they should trust the developer. It certainly shouldn't be Oracle's fault if a user chooses to run a program from an unknown publisher and gets a virus or something, it is the user's fault. This new update only hurts the development community by adding unnecessary expenses for novice, open-source, and/or nonprofit programmers.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  21. #46
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I do think this is all related to the security exploits.

    Basically, Java is (or at least used to be) set up to allow code to run in one of two modes- in a "sandbox" or not. Code run in a sandbox is not allowed to do things like access your hard drive, which makes that kind of code relatively harmless.

    In the past, applets were run in the sandbox by default. This made sense, because you don't want arbitrary code accessing your hard drive every time you visit a new website.

    But some code (games, for example) need to run "out of the sandbox" for legitimate reasons. Maybe to save a file, maybe to use the gpu, whatever. In the past, that kind of applet popped up a box asking the user to run the applet with the specified permissions, and only then was it allowed out of the sandbox.

    This was also good, as you knew when you were running potentially "dangerous" code. If you didn't know why the box was popping up, you could refuse. If you knew you were trying to run a program, you could accept it.

    (this glosses over the fact that those popups were already user-unfriendly, as most people still don't know the difference between a sandboxed program and a "normal" one)

    Then came the Java exploits. Basically, what they do is allow "dangerous" non-sandboxed code (writing to the hard drive, executing other programs, etc) to run as an applet- without popping up the dialog asking the user if they really wanted to run the code.

    I actually got nailed by this Java exploit. I went to a website that loaded an applet inside an advertisement. This happened silently, so I didn't know an applet was running. The exploit allowed "dangerous" code to be run, which locked up my hard drive and forced me to reformat.

    Oracle has been fighting these exploits for months (years?), and every time they fix one, two more seem to pop up. Oracle then made it so a popup displays every time any applet is run, including completely sandboxed applets. I thought this was a pretty reasonable solution, even though it was pretty unfriendly to end users.

    Even though that solution seems to have been working, their end solution seems to be disabling applets for everybody except people who pay for certificates. The thinking is that virus writers aren't going to spend any money on a certificate that will be revoked the first time somebody reports them.

    This is a real shame for novices or hobbyists just learning Java. They can no longer throw an applet on a webpage to show off their work, which I think is really going to hurt front-end Java. Why go through these hurdles if I can just use JavaScript or Unity or html5? (there are answers to that question, but I'll save that for another rant)

    But that's just it- think about it from Oracle's perspective. They don't really care about front-end Java. All of the focus is on server-side Java, and that's where Oracle is going to spend their resources. That leaves user communities to deal with the front-end side of Java (JavaFX being the exception, and I'm very interested in how that plays out). And here we are.

    Keep in mind that none of the "dangerous" code is special to Java. Any real language can do things like access your hard drive and really screw your system over. The problem with Java is that applets let this kind of code run in the browser, and the exploits let this code run without the user knowing it. It seems a little funny to me that the "solution" to the problem is to have end users downloading .exe files, which have absolutely no security attached to them whatsoever. But the thinking is that the user has to /know/ they're running the file, so they're less likely to run harmful code. We'll see.
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

  22. #47
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,676
    Thanks
    25
    Thanked 329 Times in 305 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I read an article from a few months back where the author was claiming that Oracle was attempting to destroy the java sandbox.

    Oracle then made it so a popup displays every time any applet is run, including completely sandboxed applets. I thought this was a pretty reasonable solution, even though it was pretty unfriendly to end users.
    Minor inconvenience, in my opinion. Given the upside of doing it, it never bothered me much.

    If Oracle really gave a crap and still didn't want to change much, they would take the same approach that Google took to potentiality dangerous apps on the Android system: instead of a general "sandbox or all" permission system, require the developer to specific the exact system functionality the app will require, and present that information to the user. For example, if you go to the Android app store and download an app, you are told everything that app requests permission to do (monitor phone calls, access internet, use cell data, ect.).
    This provides the end-user enough information about the potentiality dangerous code to make an informed decision on whether or not they want to run it.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  23. #48
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,424
    My Mood
    Hungover
    Thanks
    144
    Thanked 636 Times in 540 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    You can already specify individual permissions. You still have to sign a jar that specifies individual permissions.

    The change means that self-signed jars, even ones that specify individual permissions, will no longer run unless the end-user futzes around in their control panel. This is bad because most end-users don't know anything about Java, let alone how to change their security settings. They'll just know "it doesn't work!" and give up.
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Converting a piece of C# code to Java (unsigned longs, etc)
    By nahkiss in forum What's Wrong With My Code?
    Replies: 2
    Last Post: May 10th, 2013, 12:44 PM
  2. apple safari blocked java plugin
    By macko in forum Java Theory & Questions
    Replies: 0
    Last Post: January 12th, 2013, 04:40 AM
  3. Java Scope in future
    By Shemil in forum Member Introductions
    Replies: 2
    Last Post: July 20th, 2011, 04:45 PM
  4. Future of Java
    By Skynet.Boy in forum Java Theory & Questions
    Replies: 4
    Last Post: March 15th, 2010, 09:12 AM