How do I write a manifest file for the new java security barriers

Question

I have a Java applet that I need to deploy on my website.

My website has a lot of pages and the applet appears on a number of them. My website's base domain is www.mycompany.com. But the applet will appear on, for example: www.mycompany.com/dog, www.mycompany.com/cat, www.mycompany.com/pen, etc.

The package of the entry point is com.mycompany.MyApplet.

Following the instructions at Java Security Manifest Changes in the Browser, I have created the below manifest for my app. Will someone please review it for me so that I get it correct? Basically I don't want any sort of warning to show up when people try to run my applet from my website.

MANIFEST

Manifest-Version: 1.0
Created-By: 1.7.0_51
Permissions: sandbox
Application-Name: My Farming Business
Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
Caller-Allowable-Codebase:www.mycompany.com
Codebase: www.mycompany.com

Presently I get the following dialog after redeploying with the above manifest:

Application Blocked by Security Settings: Your security settings have blocked an untrusted application from running

Ref: How do I inject new manifest into an existing jar for applet

Also, I have used the following steps to sign my jar:

1. keytool -genkey -keystore myKeyStore -alias me
2. keytool -selfcert -keystore myKeyStore -alias me
3. jarsigner -keystore myKeyStore jarfile.jar me

Answer 1

As for the error you get I can think of three possible problems:

1) Your applet does not ask permission for what it is trying to do.

What happens? The "permissions" is telling the user how much "power" does the application have over the user's computer. "sandbox" doesn't let the application do much and "all-permissions" gain the applet a little more control. of course, you would want to use the lowest permission you can (i.e. sandbox) because the lower permission you use, the less warning prompts the user get. However, if, for example your applet is trying to gain access to the user's personal files but it's "permissions" attribute is set to "sandbox" the applet won't work, as it did not ask permission for what it is trying to do.

How to solve it? Simple, just change Permissions: sandbox to Permissions: all-permissions

2) Your computer is not allowing self signed applications to run.

What happens? Most browsers have very strict rules applying to applets. especially if you're requiring all-permissions (which you are not).

How to solve it? Change your java security in java control panel to something lower. you can either search for "java control panel" in your computer or go yourself to this path (windows 8 can't find the java control panel for some reason so you have to look for it yourself) C:\program files\java\jre7\bin\javacpl.exe in the JCP go to security tab and change it to medium.

3) Your operating system doesn't allow you to run applets that you signed your self. (pay attention "applets that you signed your self" not "self signed applets", which is everything that doesn't have an official certificate. Operating systems usually treat them differently.)

How to solve it? Upload the applet to a web host service and enter it from another computer, all computers but the ones you signed the applet with should be able to open the applet.

---

As for what you mentioned about users not getting any security prompts, it is an almost impossible demand. With the variety of OS, browsers and anti-viruses you can never know. However, there are a few methods in which you can reduce the amount of security prompts:

• Self signed applets (self signing is what you did with the command prompt) are very likely to always show security prompts. You can buy an official SSL and it will reduce the amount of prompts significantly.
• If you are requiring "all-permissions" you'll get much more prompts than if you require "sandbox" permissions.

I highly recommend you to look at the following links:

SSL: Where could I buy a valid SSL certificate?

Permissions: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html

---

If you've got problem number 1 that would be the manifest file:

Manifest-Version: 1.0
    Created-By: 1.7.0_51
    Permissions: all-permissions
    Application-Name: My Farming Business
    Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
    Caller-Allowable-Codebase:www.mycompany.com
    Codebase: *

Eitherwise (If your problem is 2 or 3), you don't even have to change the manifest file.

As @tigran mentioned, if you want to run your applet from several different places you'd probably want to change "codebase" to *.