What does the Java Applet security warning “JAR file manifest does not contain the Permissions attribute”mean?

问题

I have a Java Applet which needs access to the local filesystem of the client. I have created a simple certificate for my own (it is NOT certified by Verisign,Commodo, ...). I signed the jar with the following template:

del \Users\koalabruder\.keystore
"C:\Program Files\Java\jdk1.7.0_45\bin\keytool" -genkey -alias %1 -keypass kp -dname "cn=inin" -storepass ab987c
"C:\Program Files\Java\jdk1.7.0_45\bin\jarsigner.exe" -storepass abc -keypass kp %2 %1
"C:\Program Files\Java\jdk1.7.0_45\bin\keytool" -export -storepass abc -alias %1 -file %3

The simple security warning that I have "no signed certificate" has been in existence for years and is not my problem.

My problem is, that the security warning changed because one of the last Java updates:

This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more Information.

What does it mean? How can I fix it? Do I have to buy a certificate? Do I have to fix the Manifest (MANIFEST.MF)? What is the Permission attribute?

Update: Here is my Manifest from the jar file

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.4
Application-Name: inin 
Permissions: all-permissions 
Created-By: 1.7.0_45-b18 (Oracle Corporation)

Name: net/inin/transfer/ul/UlPanel.class
SHA-256-Digest: asdfasddddddddddddddddddddddddddddddddd=

回答1:

You don't need to buy a certificate, just fix the manifest file.

Add this line:

permissions: all-permissions

Or this line if you need only limited access:

permissions: sandbox

回答2:

I ran into the same problem and changing my manifest did not fix it.

Finally I found out, that I referenced a library which came in its own jar with its own manifest. I was using a copy of that jar-file that did not have Permissions and Codebase.

So, if you reference any libraries except the JRE System library, check the manifest in the jar file (e.g. by opening it with 7zip). If it does not contain the attributes, you can:

• check, if the manufacturer has a new version. He might have noticed the problem by now.
• Unzip the jar file, edit the manifest and jar it again, or
• Merge the library with your own jar.

For the last two, check the license under which the library is published. Maybe you are not allowed to manipulate the product this way.

回答3:

In Netbeans I noted that manifest file is generated during build ..so briefly what I have done to fix this issue to include my manifest attributes inside that template which is responsible for generating manifest.

To do so follow these steps :

1- Open this file with any editor: (PATH)\nbproject\jfx-impl.xml
(PATH): is the path of your project.

2- Search for : "// manifest". mine looks like:

                // manifest
                var man = jar.createManifest();
                var a1val = project.getProperty("application.vendor");
                var a1 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a1.setName("Implementation-Vendor");
                a1.setValue(a1val);
                man.addConfiguredAttribute(a1);
                var a2val = project.getProperty("application.title");
                var a2 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a2.setName("Implementation-Title");
                a2.setValue(a2val);
                man.addConfiguredAttribute(a2);
                var a3 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a3.setName("Implementation-Version");
                a3.setValue("1.0");
                man.addConfiguredAttribute(a3);


                //******insert your Attributes code here*******

                jar.perform();

3- Under "//*insert your Attributes here**", you can insert your own manifest attributes code, in my situation its enough to include codebase, and permissions.. you can use my code as well:

                ...                 
                //******insert your Attributes here*******
                var a50 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a50.setName("permissions");
                a50.setValue("all-permissions");
                man.addConfiguredAttribute(a50);

                var a51 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
                a51.setName("codebase");
                a51.setValue("*");
                man.addConfiguredAttribute(a51);
                ...

4- Then build and you wont see that warning again.

Some notes:

• I strongly recommend to check the manifest attributes documentation which relates to security @ http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html

• dont use the wildcard "*" value in codebase, and it will be better to use https instead of http for security sake :-) I am using it for developing only.

good luck,'.

回答4:

I've met this warning while updating the signature on a pre-existing applet (a component that interfaces a user smartcard, and so to work correctly requires to be signed with a "strong" certificate).

Adding also the codebase attribute, e.g: "Codebase: xyz.com" actually makes the warning disappear (note that the original warning text was refering, as in this case, to issues related to the "Permission" attribute not the codebase one...).

It's probably a bug in the jre?

来源：https://stackoverflow.com/questions/19564481/what-does-the-java-applet-security-warning-jar-file-manifest-does-not-contain-t