Loading... (original) (raw)

FULL PRODUCT VERSION :
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
Also occurs on Linux and Mac operating systems. It is not operating system specific.

EXTRA RELEVANT SYSTEM CONFIGURATION :
Our application is an appliance that serves an applet to our clients. This applet is configured via a JNLP file and does not make use of any JNLP versioning features. Below is the JNLP file data:

XXXXXXXX XXXXXXXX


A DESCRIPTION OF THE PROBLEM :
After the recent JRE updates, we received numerous reports from our customers stating that when accessing applets deployed with our product, the JRE is displaying a yellow warning message that the Permissions attribute is missing from the jars and future JRE updates will block applets without these attributes from running. Obviously this concerned us greatly. As a result, our company has made great effort to produce a patch to our product that will sign all our Jars using a certificate issued from a public CA, Verisign, and that all our Jars contain the required manifest attributes. Currently all ours Jars contain the following manifest attributes:

Manifest-Version: 1.0
spa-Version: 2.4.0.0
Ant-Version: Apache Ant 1.7.1
Application-Name: XXXXXXXX
Permissions: all-permissions
Created-By: XXXXX Obfuscator 2.4
Caller-Allowable-Codebase: *
Codebase: *

Please note that the manifest contains both Permissions, Codebase and Caller-Allowable-Codebase attributes.

During the testing phase of the patch, we noted that including these manifest attributes and signing the Jars resulted in the majority of the yellow warning messages disappearing. Unfortunately, there is still one remaining warning that we are unable to remove:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
"The connection to this website is untrusted.
Note: The certificate is not valid and cannot be trusted to verify the identity of this website.

There is also a yellow warning message attached to this popup:

This application will be blocked in future Java security update because the JAR manifest does not contain the Permissions attribute. Please contact the Publisher for more
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This warning seems to appear whenever Java is unable to verify the certificate being sent by the webserver. What is concerning is that the error message also states that the Jars are missing the Permissions attribute. We are sure that all our Jars contain the attribute. We are at our wits end with this. Is this a bug in the JRE?

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We expected that there should be no warning displayed by the Java Plugin stating that the permissions attribute is missing from the Jar. We are 100% sure that the required Permissions attributes are there.
ACTUAL -
We receive a certificate validation error popup that includes as part of the message a warning message that the Permissions attribute is missing from our Jars.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
The following popup is displayed by the Java plugin:

The connection to this website is untrusted.
Note: The certificate is not valid and cannot be trusted to verify the identity of this website.

There is also a yellow warning message attached to this popup:

This application will be blocked in future Java security update because the JAR manifest does not contain the Permissions attribute. Please contact the Publisher for more information.

We are concerned about the yellow warning message and not the certificate issues.

REPRODUCIBILITY :
This bug can be reproduced always.