Welcome to the Java Programming Forums


The professional, friendly Java community. 21,500 members and growing!


The Java Programming Forums are a community of Java programmers from all around the World. Our members have a wide range of skills and they all have one thing in common: A passion to learn and code Java. We invite beginner Java programmers right through to Java professionals to post here and share your knowledge. Become a part of the community, help others, expand your knowledge of Java and enjoy talking with like minded people. Registration is quick and best of all free. We look forward to meeting you.


>> REGISTER NOW TO START POSTING


Members have full access to the forums. Advertisements are removed for registered users.

Page 1 of 2 12 LastLast
Results 1 to 25 of 48

Thread: Running unsigned (Java) applications like this will be blocked in a future release

  1. #1
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    I have a website that I had built about 8 years ago and uses a java applet for plotting graphs. I did the original programming of the applet for my first site and then professional programmers took my coding and incorporated it into the current site 8 years ago. The site is database driven and works very smoothly and is providing very specialized data to very large US utility companies.

    With the recent upgrade of Java, I now get a message saying

    "Do you want to run this application An unsigned application from the location below is requesting permission to run."

    "Running unsigned applications like this will be blocked in a future release because it is potentially unsafe and a security risk"

    "click Cancel to stop this app or Run to allow it to continue."

    I guess this means that I'm going to have to get my java applet signed. I haven't really got much idea how I should go about this, could someone give me some pointers? Do I need to buy a digital signature? I notice there seem to be different levels of signature, can someone please advise what I would need?

    Thanks for your help.

    Pavesa


  2. #2
    Super Moderator
    Join Date
    Jun 2013
    Location
    So. Maryland, USA
    Posts
    5,849
    My Mood
    Mellow
    Thanks
    239
    Thanked 721 Times in 707 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I recommend you do a simple search, something like "java applet signing", and notice the topics that come up, everything from how to do it, why you should/shouldn't etc., and become smarter on the whole topic. After you've gotten smarter, THEN decide what to do.

  3. #3
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    thanks for the thoughts.

    I think I'm getting a few thoughts together on this. An issue I'm not sure about is that my website it owned by a company "ABC" and I'm wondering whether the digital certificate needs to be owned by ABC or a domain name registered to ABC or whether I can own it myself. Conceivably, checks could be to ensure that the certificate is registered to the domain name or its owner. I'd prefer to own it myself if possible. Does anyone know this? I would have guessed that just a signed java applet would be enough to satisfy java to run happily without popup warnings..

    Thanks

    Pavesa

  4. #4
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,684
    Thanks
    25
    Thanked 333 Times in 309 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    You can sign it yourself if you have your own digital certificate. If you are talking about java making sure the program is not stolen and used on another website, that has been taken care of by the codebase tag in JNLP and the jar's manifest.
    Also, supposedly, if someone steals your jar and attempts to modify the manifest, it invalidates the digital signature.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  5. #5
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Aussiemcgr

    thanks for the insight on this, I really appreciate it.

    Pavesa

  6. #6
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    from what I read, I need to use Jarsigner to sign and time stamp my JAR files. Can anyone tell me where I can get this? I found the instructions on Oracle's website but no link to get hold of the software. Is it part of the JDK?

    Thanks..

  7. #7
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,684
    Thanks
    25
    Thanked 333 Times in 309 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Yes, it is part of the JDK (and a real pain in the ass to use).

    Depending on your IDE, I suppose you might be able to find a plug-in that does it for you. If you do try to find a plug-in, tell me if you have any success with one.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  8. #8
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Well, hopefully I just have to do this once in the next X years, so I'm gonna try the Jarsigner. Thanks for the info..

  9. #9
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,684
    Thanks
    25
    Thanked 333 Times in 309 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    FYI: make sure you have the permissions tag in your manifest. Since Java 7, Update 40 (could have been a bit sooner), it has been flagging applets without the permissions attribute, warning that they may be disabled in a future update. I noticed it when I was testing my latest release today, and I was like: arg!
    Apparently the permissions tag in the JNLP is not going to be enough for much longer. We'll need to put it in the manifest too.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  10. #10
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I've been doing a bit more investigation on this and I've found I don't seem to have a .jar file on my site. I'm using a product called RChart (excellent by the way) and there are *.java files. Anyone happen to know if this file is the equivalent of the *.jar file?

    Thanks for your help..

    Pavesa

  11. #11
    Forum VIP
    Join Date
    Jul 2010
    Posts
    1,684
    Thanks
    25
    Thanked 333 Times in 309 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    No .java files are java source files. They are not even compiled and cannot be ran in any way. When .java files are compiled, you get .class files. The .class files are packaged into a .jar, which is ran. You can, however, open .java files in your IDE, or notepad.
    NOTE TO NEW PEOPLE LOOKING FOR HELP ON FORUM:

    When asking for help, please follow these guidelines to receive better and more prompt help:
    1. Put your code in Java Tags. To do this, put [highlight=java] before your code and [/highlight] after your code.
    2. Give full details of errors and provide us with as much information about the situation as possible.
    3. Give us an example of what the output should look like when done correctly.

    Join the Airline Management Simulation Game to manage your own airline against other users in a virtual recreation of the United States Airline Industry. For more details, visit: http://airlinegame.orgfree.com/

  12. #12
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Aussiemcgr

    I seem to have unpackaged class files in the page that generates the chart. Eg

    APPLET id="Applet1" codeBase="./" height="500" hspace="0" width="700" align="middle" code="com.charting.mychart.ChartApplet.class"
    vspace="0" name="TestApplet" VIEWASTEXT>

    Looks like it runs ChartApplet.class outside a JAR file. It was built in visual studio and the start of the page refers to

    Inherits="Website.PlotGraph"

    which looks like it refers to a DLL called Website.dll in the bin folder

    The site works, so I have to say it is possible but I wonder if in this scenario there is no Jar file?

    I really appreciate the advice on this

    Pavesa



    Is that possible?

    Andrew

  13. #13
    Member vigneshwaran's Avatar
    Join Date
    Nov 2012
    Location
    Chennai, TamilNadu
    Posts
    35
    My Mood
    Cheerful
    Thanks
    7
    Thanked 1 Time in 1 Post

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    How can a class be outside JAR (Java Archive) ?
    Every class are packaged to Jar. I wonder about what you saying..

  14. #14
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    21,240
    Thanks
    52
    Thanked 2,298 Times in 2,269 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Yes .class files can be outside of a jar file. I think the browser first looks in the archive file(usually a jar file) and if the class is not found there will send a HTTP GET to the server for the .class file.
    If the app uses multiple class files, it'd be more efficient to put them all in a jar file to cut down on the number of HTTP GETs that need to be made.
    If you don't understand my answer, don't ignore it, ask a question.

  15. #15
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    I made this post about 3 weeks ago and have been digging away getting my code signing cert and now starting to look at signing the Java. As mentioned above, there currently is no .Jar file on the site so I split the task into 2 parts just the .class files etc

    1) Get a .Jar working

    2) Sign the working Jar

    Unfortunately, I don't seem to yet to have succeeded with (1) and I'm wondering if this is something to do with the site having been built (professionally) in Visual Studio and maybe this integrates Java and digital certificates in a different way. The site was probably built about 8 years ago and unfortunately the firm that built it died during the crisis so I can't talk to them. I notice there is a folder called "bin" with a .dll in it called MySite.dll and although I can't read most of it, when I open the file with wordpad I can see the word "PublicKeyToken" which makes me wonder whether both Java and digital certs need incorporating through Visual Studio. Any help on this much appreciated!

  16. #16
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    21,240
    Thanks
    52
    Thanked 2,298 Times in 2,269 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Sorry, I don't know anything about VisualStudio.

    If you have all the class files needed for the program, you can use the jar program that comes with the JDK to create a jar file. To make the jar file executable it will have to contain a properly coded manifest file.
    If you don't understand my answer, don't ignore it, ask a question.

  17. #17
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    thanks for the feedback. Currently I don't have a manifest file on the site - the Applet I have works fine although it's probably about 10 years old so maybe it pre-dates manifests.. Is a manifest necessary to do the code signing?

  18. #18
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    21,240
    Thanks
    52
    Thanked 2,298 Times in 2,269 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    You don't need a manifest file for an applet. I was talking about an application that would execute by itself with a double click.
    If you don't understand my answer, don't ignore it, ask a question.

  19. #19
    Crazy Cat Lady KevinWorkman's Avatar
    Join Date
    Oct 2010
    Location
    Washington, DC
    Posts
    5,483
    My Mood
    Hungover
    Thanks
    144
    Thanked 643 Times in 548 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    This is also going to affect me pretty severely. I started a conversation on JGO that you might find helpful: Running Jar with Unknown Publisher Blocked in Future Java Release - Java-Gaming.org

    The bad news is, simply signing your jar might not be enough either, as self-signed jars are just as evil (in Oracle's eyes) as unsigned jars. I'd love for somebody to correct me if I'm wrong, but I believe the only way to deploy a jar via the web is to purchase a certificate (which is expensive and not a solution for me).

    The way to go seems to be to package your jar up as an executable. That's going to be my project during December, as this stuff is dropping in January.

    I'd love to be wrong about this, so I appreciate any more information on how people are getting around these new precautions.
    Useful links: How to Ask Questions the Smart Way | Use Code Tags | Java Tutorials
    Static Void Games - Play indie games, learn from game tutorials and source code, upload your own games!

  20. #20
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    thanks very much for the info, that does take the manifest side out of the equation.

    So that just leaves me wondering whether sites built with Visual Studio have different procedures for running Java (with or without .Jar files) with the Java integrated via the MySite.dll in the bin directory and similarly if code signing is done via that MySite.dll or whether Java and code signing are just stand-alone on with a Jar file like any other website. Does anyone happen to know?

    It's probably evident from the wording of my posting that this is all almost entirely outside my experience/knowledge, so I really appreciate the sign pointers you're giving here..

  21. #21
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    21,240
    Thanks
    52
    Thanked 2,298 Times in 2,269 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    I don't know what a .dll file in an applet's jar file is for. That sounds like a potential security issue if the applet is expecting to execute the .dll on the user's machine.
    See Kevin's earlier post. Applets may be finished in the near future because of the security issues.
    If you don't understand my answer, don't ignore it, ask a question.

  22. #22
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi Norm

    thanks for the posting. I think I mis-explained. The website has a .dll file and I assume this is produced by Visual Studio because it's been there ever since I had the site built. My speculation is that Visual Studio integrates/links (somehow) all sorts of functionality into this .dll (in the bin folder) such as the "Jar" functionality and maybe also the whole code signing side. Just wonder if anyone knows. The Jar file doesn't contain the .dll, I'm speculating that the .dll somehow contains the Jar file itself or maybe its functionality..

  23. #23
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    21,240
    Thanks
    52
    Thanked 2,298 Times in 2,269 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Ok, the .dll is used by the server and might provide services to an applet that sent a special request to the server which would be handled by the server executing the .dll. Just a guess.
    If you don't understand my answer, don't ignore it, ask a question.

  24. #24
    Junior Member
    Join Date
    Oct 2013
    Posts
    29
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    Hi

    I've made a bit more progress. The site uses ASP.Net and has a bunch of .resx files so it looks like the site has a satellite dll to bring everything together.

    As an experiment, I removed all the class files and uploaded to the root director a jar file that I have with my charting Java applet. I'm getting a ClassFormatError

    "Incompatible magic value 1008813135 in class file com/java4less/rchart/ChartApplet"

    I tried googling this and it seems to be associated with trying to load something that the server doesn't know as noted here

    From http://stackoverflow.com/questions/2390733/incompatible-magic-value-1008813135>
    0xCAFEBABE is the usual first 4 bytes of a Java file.
    1008813135 is <!DO in Latin encoding, which is, in all probability, the start of <!DOCTYPE....
    It is therefore likely the start of a 404 error, or some other error page from the server
    ie. You may be trying to load something that the server doesn't know.

    Does anyone have any thoughts? I wonder if I can sign the class files individually rather than try and get the site working on a Jar file and then sign that. I don't know if that's possible.

  25. #25
    Super Moderator Norm's Avatar
    Join Date
    May 2010
    Location
    Eastern Florida
    Posts
    21,240
    Thanks
    52
    Thanked 2,298 Times in 2,269 Posts

    Default Re: Running unsigned (Java) applications like this will be blocked in a future release

    "Incompatible magic value 1008813135 in class file com/java4less/rchart/ChartApplet"
    The .class file contains html , not a valid class file. Edit the ChartApplet.class file and see.
    If you don't understand my answer, don't ignore it, ask a question.

Page 1 of 2 12 LastLast

Similar Threads

  1. Converting a piece of C# code to Java (unsigned longs, etc)
    By nahkiss in forum What's Wrong With My Code?
    Replies: 2
    Last Post: May 10th, 2013, 12:44 PM
  2. apple safari blocked java plugin
    By macko in forum Java Theory & Questions
    Replies: 0
    Last Post: January 12th, 2013, 03:40 AM
  3. Java Scope in future
    By Shemil in forum Member Introductions
    Replies: 2
    Last Post: July 20th, 2011, 04:45 PM
  4. Future of Java
    By Skynet.Boy in forum Java Theory & Questions
    Replies: 4
    Last Post: March 15th, 2010, 09:12 AM