Upgrading Applet based web application to JAVA 7

I recently upgraded one of my web applications which was based on Applets to JAVA 7 (u45) environment. JAVA 7 seems to have made the life of applets really miserable (add JNLP to this list), users are shown messages like “Running unsigned application like this will be blocked in a future release because it is potentially unsafe and a security risk” and many more after getting over this dialog.

I strongly believe Oracle should not force users to sign the contents of any jar specially if the applications are meant for in house development and production usage. After struggling with the new enforcements and reading numerous posts about more such people suffering from the same disease I finally managed to resolve it without spending a penny 🙂

Via this post, I will try to summarize my experiences and resolution I made to resolve this issue, any feedback is most welcome.

When the application (applet/JNLP based) which was running fine till JAVA 6 is deployed in a new environment which is based on JAVA 7 here is the first security message you will see –

unsignedApp

After researching on this I came to know that I am running an unsigned applet jar file on my browser which is using JRE 7 and the only way to get around this is to sign the jar file and redeploy. Signing a jar has two possibilities –

  1. Expensive Certificate from Verisign/Thwate
  2. Self signing using JDK’s tools

Honestly speaking, after observing the cost involved in purchasing a Code Signing certificate from Verisign/Thwate, I decided to backout and look for cheaper options -self signing.

The steps to self sign a jar file are fairly simple. We need to make use of “keytool” and “jarsigner” utilities provided by JDK to generate a keystore/certificate and sign the jars. However Oracle is not kind enough to let us squeeze through with self signing and even after this exploration I managed to remove the old warning message and get this new one –

self-signed app

If I select the checkbox at the bottom which says “I accept the risk and want to run this application”, I am in for more surprise and receive the following message –

Block Potentially Unsafe app

You must be wondering “Block potentially unsafe components from being run?” – seriously …… Oracle what have you done 😦
This was the new battle I had to deal with and fortunately people were king enough to let me resolve it. All I had to was to append permissions settings on client machine at below location in following manner

file name = “C:\Users\”user name”\AppData\LocalLow\Sun\Java\Deployment\deployment.properties”

Instruction = Add “deployment.security.mixcode=DISABLE” new attribute in deployment.properties

And there you go … the potentially unsafe application was turned into a safe application by playing with this property file 🙂 [Security seems to have been redefined in Oracle’s dictionary]
This, however, does not resolve the issue entirely. Next time client launches his explorer and hits the application , he will see the same message “Do you want to run this application?”. So we need a better, inexpensive and permanent solution.

Next thing I did was research a bit on the OpenSSL tool. And I was delighted to find find few posts enlisting how to create your own CA certificate and sign the jars to avoid these messages. I have posted the steps to do the same in an earlier post on this blog – CODE SIGNING USING YOUR OWN CERTIFICATE

After executing the steps enlisted in the above mentioned link and redeploying your application, here is the new pop-up message you will see –

self-signed app

Click on “Do not show this again for apps from the publisher and location above” and next time onwards user will not receive this message again !!!!! – Mission Accomplished 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s