Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java 7u51 will not accept JNLP with self-signed certificate?

I read on the web that Java version 7u51 (to be released in January 2014) will no longer accept Java Webstart applications that are self-signed by me.

Is that true?

In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?

I have seen that the option to suppress the security warnings because of the usage of a self-signed certificate was removed in 7u40.

like image 569
Fabian Avatar asked Oct 20 '13 19:10

Fabian


People also ask

Is JNLP still supported?

Oracle has announced that Java Applet and WebStart functionality, including the Applet API, The Java plug-in, the Java Applet Viewer, JNLP and Java Web Start (containing the javaws tool) are all deprecated in JDK 9 and will be removed in a future release.


2 Answers

Yes, this is true. This blog entry from Oracle has the details.

As I understand it, you have three options for continuing to work:

  1. Sign your app with a trusted cert
    • Normally, this is done by acquiring a cert from one of the vendors whose root certs are trusted by Java by default.
    • You can also use a self-signed certificate if your community of users is controlled (e.g. all within a managed corporate network, or all students in the same intro to programming class).
  2. Have your end users configure their machines to trust your app despite it being self-signed
    • via deployment rule sets (Oracle's intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
    • via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
  3. Have your users lower their security slider from High (the default) to Medium

See also my question about obtaining pre-release versions of these updates to test with.

like image 128
Matt McHenry Avatar answered Sep 20 '22 19:09

Matt McHenry


Oracle just announced that a new feature called the Exception Site List will be available in 7u51.

If it means what I think it means, then in-house-only apps who are currently self-signing their jars can simply ask their users to whitelist the app without the user having to do anything "complicated" for an end user, like importing a cert (for example).

UPDATE:

Java 7u51 was just released, and I can confirm that the Exception Site List solution works quite easily. Just go to Java Control Panel -> Security -> Edit Site List, and add the URL of the self-signed JNLP app to the list of Locations.

like image 23
splungebob Avatar answered Sep 20 '22 19:09

splungebob