Java popup saying applications contains both unsigned and signed code

java security warnings mode mixed-code
user1216750 picture user1216750 · Apr 17, 2013 · Viewed 17.4k times · Source

I am using Mac 10.7 running Java 1.7.0_21. I am trying to run a Java applet application that is signed and towards the end of the application I get a mixed mode security popup saying "Block potentially unsafe components from being run?". All the jars that I am using are signed.

I am able to run the same applet application on Mac 10.6 running Java 6 and I don't get the mixed mode warning. I am also able to run the application on windows without the mixed mode warning coming up.

Why do I get this keep getting this error when all my jars are signed?

I googled mixed mode warning and found this link.

http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#manifest

and after reading this link, I am a little confused. According to this link it looks like I need to have either "Trusted-Only" or "Trusted-Library" attribute mentioned inside my manifest file. I looked at my manifest file and they don't have these attributes so should I put them in or just the fact that the jars is signed should have been enough.

Can someone please help me understand why I am getting this error even when everything is signed?

Answer

vip picture vip · Apr 18, 2013

Update 21 of Java 7 is a strong security update that brings a certain number of breaking changes.

You should have a look to its release notes, there are two paragraphs and two known issues related to signed jars.

Your problem consists in this one:

Area: deploy/plugin

Synopsis: Security popup while closing application

Starting in JDK 7u21, JavaScript code that calls code within a signed applet running with all permissions is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library=true attribute. See Mixing Code With Permissions and Code Without Permissions(doc link)'.

For a signed applet running with all permissions to JavaScript call, no security dialog (with mixed code warning) should pop up. However mixed code warning is being shown in some scenarios.

The good news: there is a workaround:

As a workaround, if the applet jar is running with all-permissions and uses "Trusted-library:true" attribute as manifest entry, the mixed code warning will not popup.

Related questions

Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More
Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to …

Read More
How to retrieve a file from a server via SFTP?

I'm trying to retrieve a file from a server using SFTP (as opposed to FTPS) using Java. How can I do this?

Read More