I read on the web that Java version 7u51 (to be released in January 2014) will no longer accept Java Webstart applications that are self-signed by me.
Is that true?
In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?
I have seen that the option to suppress the security warnings because of the usage of a self-signed certificate was removed in 7u40.
Yes, this is true. This blog entry from Oracle has the details.
As I understand it, you have three options for continuing to work:
- Sign your app with a trusted cert
- Normally, this is done by acquiring a cert from one of the vendors whose root certs are trusted by Java by default.
- You can also use a self-signed certificate if your community of users is controlled (e.g. all within a managed corporate network, or all students in the same intro to programming class).
- Have your end users configure their machines to trust your app despite it being self-signed
- via deployment rule sets (Oracle's intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
- via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
- Have your users lower their security slider from High (the default) to Medium
See also my question about obtaining pre-release versions of these updates to test with.
Oracle just announced that a new feature called the Exception Site List will be available in 7u51.
If it means what I think it means, then in-house-only apps who are currently self-signing their jars can simply ask their users to whitelist the app without the user having to do anything "complicated" for an end user, like importing a cert (for example).
UPDATE:
Java 7u51 was just released, and I can confirm that the Exception Site List solution works quite easily. Just go to Java Control Panel -> Security -> Edit Site List, and add the URL of the self-signed JNLP app to the list of Locations.
This is for Windows ONLY
Go to Java configuration in Windows, "java configure", choose "Security" tab and Choose "Edit Site List", add your self signed url into the list.
Sometimes you need to add the full url of the java application into the list to make it work, you cannot just add https://xxx.abc.com, should be https://xxx.abc.com/application_blah_blah instead.
After added the url, restart the java application by input that url in the browser, it will work.
Is that true?
Don't know, but had heard the same. What is your source?
In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?
The only realistic way to deploy code in that situation is have it signed using a digital certificate from a Certification Authority (i.e. signed, but not self-signed).
Any 'workaround' would be a security bug. So if you find one, please let us know so we can raise a bug report and get it fixed.
I have a self-signed app that just needs to run through the end of the semester (December), so I won't be affected by the January deadline. However, we are experiencing trouble even with earlier builds. This just started last week (perhaps due to some kind of automatic update). The JRE is build 40.
I changed the manifest file to include the required attributes of permission and codebase and then re-signed the jar, but it still causes a security block to appear at our school.
Can anyone suggest other steps I should take? Is a commercial certificate my only option?
Thanks, Nina
for me..sel-signed web is working when changed security setting to Medium..
Check out Java official help to allow the access:
来源:https://stackoverflow.com/questions/19481826/java-7u51-will-not-accept-jnlp-with-self-signed-certificate