[#NEURE-287] 1.7.0_45 brings new manifest attributes in Deployment/PlugIn area

[NEURE-287] 1.7.0_45 brings new manifest attributes in Deployment/PlugIn area Created: 16/Oct/2013 Updated: 02/Jan/2014 Resolved: 25/Oct/2013
Status:	Closed
Project:	NEURE
Component/s:	None
Affects Version/s:	None
Fix Version/s:	1.6.7

Type:

Improvement

Priority:

Major

Reporter:

Oleksandr Maslov

Assignee:

Oleksandr Maslov

Resolution:

Fixed

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

JavaPlugin v1.7.0_45

Description

Need to take in account those new attributes to avoid unnecessary "warning" dialogs.

Quote from http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html#newft

Protections Against Unauthorized Redistribution of Java Applications

Starting with 7u45, application developers can specify new JAR manifest file attributes:

Application-Name: This attribute provides a secure title for your RIA.

Caller-Allowable-Codebase: This attribute specifies the codebase/locations from which JavaScript is allowed to call Applet classes.

JavaScript to Java calls will be allowed without any security dialog prompt only if:

JAR is signed by a trusted CA, has the Caller-Allowable-Codebase manifest entry and JavaScript runs on the domain that matches it.
JAR is unsigned and JavaScript calls happens from the same domain as the JAR location.

The JavaScript to Java (LiveConnect) security dialog prompt is shown once per Applet classLoader instance.

Application-Library-Allowable-Codebase: If the JNLP file or HTML page is in a different location than the JAR file, the Application-Library-Allowable-Codebase attribute identifies the locations from which your RIA can be expected to be started.

If the attribute is not present or if the attribute and location do not match, then the location of the JNLP file or HTML page is displayed in the security prompt shown to the user.

Note that the RIA can still be started in any of the above cases.

Developers can refer to JAR File Manifest Attributes for more information.

Comments

Comment by Oleksandr Maslov [ 25/Oct/2013 ]

since this issue only affects Exress, we provide now separate express_run_45.jnlp for Oracle Java 1.7.0_45 pointing to jars with "correct" set of Manifest Attributes

Comment by Oleksandr Maslov [ 24/Oct/2013 ]

so, what we will do for 7_45:

generate separate jar
using deployment toolkit detect 7_45
provide separate .jnlp

Comment by Oleksandr Maslov [ 21/Oct/2013 ]

from the same page

Area: Deployment/Plugin
Synopsis: Caller-Allowable-Codebase may be ignored when used with Trusted-Library.

If a trusted, signed JAR file is using the Caller-Allowable-Codebase manifest attribute along with Trusted-Library then the Caller-Allowable-Codebase manifest entry will be ignored and, as a result, a JavaScript -> Java call will show the native LiveConnect warning. The workaround is to remove the Trusted-Library manifest entry.

so seems like we need to generate couple of different jars for versions before update 45 and for 45 (and maybe later). Because if we use workaround described in Release Notes - nasty warning appears when user starts Express task under java before update 45......

What can I say #@#&^@

Generated at Mon Dec 15 09:03:39 EET 2025 using Jira 9.12.12#9120012-sha1:9afad32836b39ea19f5a357a6aae8106be665a8f.

[NEURE-287] 1.7.0_45 brings new manifest attributes in Deployment/PlugIn area Created: 16/Oct/2013 Updated: 02/Jan/2014 Resolved: 25/Oct/2013