Geek Answers Handbook

Java popup says apps contain both unsigned and signed code

I am using Mac 10.7 with Java 1.7.0_21. I try to run a Java applet application that is signed, and by the end of the application I get a pop-up message about mixed mode: "Block potentially dangerous components due to start?". All banks that I use are signed.

I can run the same applet application on Mac 10.6 running Java 6, and I do not get a mixed mode warning. I can also run the application on windows without warning about mixed mode.

Why do I always get this error when all my banks are signed?

I was looking for googled mixed mode warning and found this link.

http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#manifest

and after reading this link, I'm a little confused. According to this link, it looks like I need the "Trusted" or "Trusted Library" attribute mentioned in my manifest file. I looked at my manifest file and they do not have these attributes, so I have to put them or just the fact that the banks were signed should have been enough.

Can someone please help me understand why I get this error even when everything is signed?

+7
source share
4 answers

Update 21 for Java 7 is a strong security update that brings a certain number of violations.

You should take a look at the release notes ; there are two paragraphs and two known issues with signed banks.

Your problem is this:

Scope : Deployment / Plugin

Synopsis : Security pop-up when closing an application

Starting with JDK 7u21, JavaScript code that invokes code in a signed applet that works with all permissions is treated as mixed code, and warnings are displayed if signed JAR files are not marked with the Trusted-Library=true attribute. See section "Mixing code with permissions and non-permissions code (doc link)".

For a signed applet with all permissions to invoke JavaScript, a security dialog box does not appear (with mixed code warning). However, in some scenarios a mixed code warning is displayed.

Good news: there is a workaround :

As a workaround, if the application jar works with all permissions and uses the "Trusted-library: true" attribute as a manifest entry, a warning about mixed code will not pop up.

+8
source

The best fix is ​​using Trusted-Library=true , however, if you can't get this to work for any reason, you can also change the way you handle mixed applets using a computer.

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/properties.html

Create the following file on the user's workstation. C:\Windows\Sun\Java\Deployment\deployment.properties

In the file, add the following line: deployment.security.mixcode="HIDE_RUN"

This will mean that Java hides a security warning and launches the applet in the presence of a mixed state of code. In addition, the release notes state:

Like the JDK 7u21, the JavaScript code that invokes the code in the privileged applet is treated as mixed code, and warning dialogs occur if signed JAR files are not marked with the Trusted-Library attribute.

For more information, see Privileged Code and Sandbox Code. documentation.

The JDK 7u21 release allows users to make more informed decisions before launching Rich Internet Applications (RIAs), offering users permissions before launching the RIA. These permission dialogs include information about the certificate used to sign the application, the location of the application, and the access level that the application requests. For more information, see RIAs.

FYI, JRE 6u19, if the applet contains both privileged components and sandbox components, warning dialogs are displayed.

+2
source

I also have an applet that generated this security warning starting with JRE 1.7.0_21.

Here is what I learned. "Trusted-Only: true", which you would put in the applet manifest if you do not want the user to ask if he will allow the call to another signed bank. The call will be blocked without a security warning. Trusted Library: True, you add to the jar that you are calling. If it is in the jar manifest, and the bank signs when your applet calls it, there will be no security warning and the call will not be blocked.

My applet uses swing-layout-1.0.4.jar. To solve the problem, I had to add "Trusted-Library: true" to swing-layout-1.0.4.jar. You must do this using the jar.exe application in the JDK.

jar vcmf swing-layout-1.0.4a.jar MyManifest.mf swing-layout-1.0.4.jar

MyManifest.mf is a text file containing "Trusted-Library: true". The space between: and true is important, and you should have a carriage return at the end of the line.

For some reason I couldn't get this to work, so I rebuilt the swing-layout using netbeans. Sources for swing-layout-1.0.4 are part of the netbeans installation (under the platform). I unpacked it, opening it as a project. In the files, I changed the manifest file to a magic line (again, it is important to have a space after: and an empty line at the end of the manifest file) and click on the assembly. Then I signed the bank and no longer warned about security.

I hope this helps, or at least points you in the right direction

+2
source

Thank you all for your answers. I tried adding Trusted-Library = true on a small sample and it seems to work. So now I will try to update the manifest file of all my cans. And since we use ant, I will do the following

  <jar update="true" jarfile="${deploy.dir}/javaApp.jar"> <manifest> <attribute name="Trusted-Library" value="true" /> </manifest> </jar>

to update manifest files.

+1
source

More articles:


All Articles