My signed Java applet has been running fine until Java update 19. Now some but not all of our users on Java Update 19 report a java security message stating that our applet contains both signed and unsigned code.
The process for creating our applet is as follows:
Can someone please tell me how to determine what code is signed and what code is not signed in our applet? Is there a better way to include the mysql JDBC driver jar file in our applet other than copying the jar file contents into our applet jar file?
Thanks
EDIT: Due to a bug in Java 7 Update 45 you should not add Trusted-Library to your manifest file. Just add the new attribute Caller-Allowable-Codebase. See this question for more info: Java applet manifest - Allow all Caller-Allowable-Codebase
Java 7 Update 21 was released on April 16 2013 and caused our applet to start showing this warning dialog.
Per the release notes: As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.
To fix this edit your manifest.mf file and add a line like this:
Trusted-Library: true
You should be very careful before doing this though. If your signed applet can be called from javascript then a malicious user can potentially do harmful things on your users' computers.
One quick way to secure your applet is to prevent it from being run on other websites. Do this by putting code in the init()
method that looks at getCodeBase().getHost()
and throws an exception if it does not match your site.
Java 7 Update 25 introduces another way to limit the sites where your applet can be run. You can set the Codebase attribute in your manifest file like this:
Codebase: test.example.com www.example.com
Java 7 Update 45 (releated October 16 2013) introduces more changes to the LiveConnect system (javascript-to-applet bridge) that may cause another prompt. This article talks about the 7u45 changes: https://blogs.oracle.com/java-platform-group/entry/liveconnect_changes_in_7u45
Basically you'll also want to add the following to your manifest file to avoid the prompts:
Caller-Allowable-Codebase: test.example.com www.example.com
If you are selling a product that includes an applet and you don't know what domains it can be deployed on you can populate * here.