Java Web Start - Running applications by UNKNOWN publishers will be blocked - file manifest does not contain Permissions

3
votes

I've got a web start app, and I'm confused by the above message.

Do you want to run this application
Publisher: UNKNOWN
Running applications by UNKNOWN publishers will be blocked in a future release because it is potentially unsafe and a security risk. 
This application will be blocked in a future java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information".

I've tried adding the Permissions attribute to the manifest of all the jars in the JNLP file. I've even gone to the trouble of hacking into the Java cache on my computer, and unzipping all the jars to make sure the Permissions attribute really got in there, and its there for every one.

Now maybe the dialog is actually saying the publisher is UNKNOWN because my app is self-signed. That would be fair enough if the dialog said that. However it doesn't say that it is UNKNOWN because it is self-signed, it says it is unknown because "the JAR file manifest does not contain the Permissions attribute".

So I'm stumped. Is this a case of Oracle popping up a crap dialog complaining of Permissions attribute, when it is really a problem of self-signed code? Or have I done something wrong I can't figure out?

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.2
Application-Library-Allowable-Codebase: *
Application-Name: CLSIS 
Permissions: all-permissions
Created-By: 1.7.0_45-b18 (Oracle Corporation)
Caller-Allowable-Codebase: *
Codebase: *
2
javasecurityjava-web-start

2 Answers

2
votes

..maybe the dialog is actually saying the publisher is UNKNOWN because my app is self-signed. That would be fair enough if the dialog said that. However it doesn't say that it is UNKNOWN because it is self-signed, it says it is unknown because "the JAR file manifest does not contain the Permissions attribute".

That's not how I read the message. The two problems are unrelated.

  • Use a proper code signing certificate issued by a Certification Authority to suppress the first message and display the publisher name.
  • Add the manifest attribute to suppress the second message.

I've even gone to the trouble of hacking into the Java cache on my computer, and unzipping all the jars to make sure the Permissions attribute really got in there,..

That does seem odd. The default for the JCP is to store Jars as loose files of the resources. Go into:

  • Java Control Panel
  • General (tab)
  • Temporary Internet Files (section)
  • Settings (button)
  • Disk Space (section)
  • Select the compression level for JAR files: (drop-down)

What does it report? Here it is showing 'None' indicating the JRE will unpack the resources to loose files.

0
votes

This IBM support page says the similar message regarding self-signed SSL is a bug: http://www-01.ibm.com/support/docview.wss?uid=swg21654628

NOTE : The warning (displayed in a yellow box in the dialogue above) is displayed in error and it has been signalled that it is targeted for removal in a subsequent release of the Oracle JRE, and IBM equivalent.

I can't find any more documentation on this, but maybe this falls into the same category.