发表新帖
发表新帖

Java applet manifest - Allow all Caller-Allowable-Codebase

后端 未结
关注
16 2366
暗喜
暗喜 2020-11-28 02:10

As of Java 7u45 an applet will display a warning message (even if signed with a trusted cert) if a webpage tries to interact with it via javascript and that page isn\'t list

相关标签:
16条回答
  • 日久生厌
    2020-11-28 03:03

    I found some strange thing with MANIFEST.MF file in scope of last Java security issue with new attribute "Caller-Allowable-Codebase". I had some issues, why this new attribute wasn't helpful for me and started investigation
    (Attention!: it may be related only to my local computer configuration - because I had never seen such troubles over stackoverlow).

    Manifest file had been upgraded according to new security feature:

    Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *

    and *.jar was build, but without signing.

    So, then I unpacked my *.jar file and looked in folder META-INF in MANIFEST.MF, where source manifest.mf should be generated.

    And I was embarrassed by absence of last line, it looked this:

    Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *

    I tested this behavior several times and found out, that last line always was exchanged to the whitespace. So, if it will be helpfull for someone, just append in the end of MANIFEST.MF file some unmeaningful attribute, like Codebase: *, which will be cutted during *.jar build.

    0 讨论(0)
  • 既然无缘
    2020-11-28 03:06

    For update 1.7.0_25 (and probably 21-40), setting the security settings to Medium in the Java Control Panel -> Security tab removes prompting when using the manifest tags for update 1.7.0_45.

    0 讨论(0)
  • 长情又很酷
    2020-11-28 03:07

    Removing the Trusted-Library attribute seems to be mandatory to get Caller-Allowable-Codebase working, no more warnings. However, this breaks Java 7 Update 21 - 40 which treated JavaScript code that calls code within a signed applet running with all permissions as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute.

    0 讨论(0)
  • 野性不改
    2020-11-28 03:07

    I had the same issue. Solution for me was using same parameters in manifest as Oracle used on donwload page in applet for verify java version http://www.java.com/en/download/installed.jsp Their applet does not popup any warnings.

    so solution is:


    Manifest-Version: 1.0
    Codebase: *
    Permissions: all-permissions
    Application-Library-Allowable-Codebase: *
    Caller-Allowable-Codebase: *
    Application-Name: APPNAME

    it works on:
    1.7.0_17-b02
    1.7.0_25-b17
    1.7.0_45-b18

    0 讨论(0)
  • [愿得一人]
    2020-11-28 03:09

    Without using Trusted-Library and setting:

    Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *

    Doesn't work for me, and i still see the warning.

    Update: Tried also with http://... but didn't work either.

    Update2: Seems even worse. I didnt update 7u40 (to 7u45) but Java console (full debug) shows the "LiveConnect 1.7.45" text. After that, my Javascript->Java calls are blocked.

    Update 3: I noticed my warning shows Application and Publisher = UNKNOWN. Altought i have:

    Application-Name: MyApplet
Implementation-Vendor: MyCompany

    I tried using JDK7u45 instead of JDK7u5 i was using.

    0 讨论(0)
  • 悲哀的现实
    2020-11-28 03:10

    from oracle:

    Area: Deployment/Plugin Synopsis: Caller-Allowable-Codebase may be ignored when used with Trusted-Library.

    If a trusted, signed jar is using the Caller-Allowable-Codebase manifest attribute along with Trusted-Library then the Caller-Allowable-Codebase manifest entry will be ignored and, as a result, a JavaScript -> Java call will show the native LiveConnect warning. The workaround is to remove the Trusted-Library manifest entry.

    http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html

    0 讨论(0)
 看不清?
提交回复
热议问题