I am having a problem with getting a ruleset.xml file to function as expected. I am using a Windows 10 client for testing and to keep things simple, i'm trying to get http://javatester.org/version.html to use version 1.8.0_92 as specified within my ruleset.xml file (below).
Deployment Rule Set - ruleset.xml
There are two versions of JRE installed on my machine i.e. 1.6.0_25 as well as that already mentioned above. Unfortunately, when i browse to the above URL, the instance reported is the 1.6.0_25 version which is not what i want.
In terms of the DeploymentRuleSet.jar file, as you can see this is valid and i have appropriately signed the certificate etc. Additionally, if i remove some essential content from the ruleset.xml file then the DeploymentRuleSet.jar becomes invalid which further suggests that up to the point of reading the file everything is OK...i just can't seem to figure out why this isn't applying. In fact, i've even tried blocking everything by default yet this also doesn't work...Any help and suggestions would be much appreciated.
Thank you!
I managed to figure this out.
The short answer is that I had two different versions of Java running, however one of those versions was x64 whereas the other version was (obviously) an x86 version. The DeploymentRuleSet.xml was working as expected however the x64 version was not firing. It wasn't firing because because i needed to add the site in question into the 'Trusted Sites'. This was due to the enhanced restrictions within IE and come as a result of the 'Enhanced Protection Mode' and 'Enhanced Protection Mode for 64 bit Processes' (i believe it comes under this from the top of my head). Adding the sites in question to the Trusted Sites is not a security issue (for us)given these are national systems we know and use.
Related
I've been quite happily signing my jar files for a year or so and had no issues whatsoever, but very recently I have noticed that I'm getting the warning below.
Now, nothing has changed, I'm not creating anything different, my certificate is valid, I'm signing in exact same way, same JDK and same JRE and I'm uploading to the same location and so on so kind of hitting a wall.
I've tried running from a different computer, different OS and JRE, all with same outcome.
What I have also noted though and find this particularly strange, is that even if I add a site exception, I still get the same error.
Are there any logs or can such logging be enabled to find out exactly why the applications are not being allowed to run?
My issue was caused by mismatched information in the manifest file inside the jar and the jnlp file, my own oversight as it happens. The CODEBASE and PERMISSIONS differed, not quite sure how that happened but guess it makes sense for java security to not allow such an application to run with said differing information.
i have noticed that signed applets are loaded much slower with the latest plugin (included in java 8u31 and 7u75). I have debugged the situation quite a lot and i found out that the problem is directly related to the size of the jar files that are referenced in the jnlp file. The problem is that each time the applet starts, there is some 're-indexing' of the cached jar files that takes time.
To reproduce the issue i did this:
I created a minimal applet and in the jnlp file i used to deploy it, I added several irrelevant .jar files (that are not even referenced, so the classloader does not load them) of considerable size (e.g. 30MB). Of course i am using versioning in the jnlp and capture all http traffic to make sure that the delays are not because of traffic (either re-downloading or certificate revocation checks, etc). I run the applet with the trace enabled and then went through the xml trace log file and found out where the delays come: they are always from the JarSigningVerifier ....
Has anyone else seen something like that?
It is very easy to see and reproduce this behavior and i wonder if there is something i am overlooking. Having worked on applets for the past years extensively, i am totally lost at what can be happening. I can verify that reverting to the previous version of the plugin (and every other version before) works as expected.
I have submitted a bug report with oracle, but i haven't heard back still. Any info or idea will help,
TIA
Same here. I thought already I'm getting crazy. Thanks for sharing this.
We are using Java Web Start, but it's sharing the same problem of re-indexing all jar files (in our case it's an app with quite some jars, so starting takes ages).
Aside from the fact that Oracle suddenly decided to check the certificate of the deploy TLS, which caused some hickup on Linux and Macs (we used a StartSSL certificate there, which isn't included in the Java keystore - on Windows it works as it uses the platforms root certs, too).
And, to make it even worse, on Windows x86 the 8u31 silently dies if -XX:+DoEscapeAnalysis or -XX:+OptimizeStringConcat is present in the JVM arguments, though both parameters are standard in Java 8 (but not in 7, that's why they've been included, still). The 64bit engine doesn't have that problem.
The next thing they changed is they now overwrite the start icons if they've been changed (we changed them to put the 64bit engine's path in there), so it stubbornly changes the path back to the 32bit engine every time.
The behaviour of Oracle is not helpful at all, as they didn't announce any of these changes in their changelogs, let alone announcing the certs changes a few days ahead.
I would like to hear from anyone who's sharing the problems and possible workarounds.
Patric
Have you been able to solve this issue? Have you had a reaction from Oracle?
UPDATE START
I've tried everything I can think of and haven't managed to solve the
issue, so I posted my own question on this issue.
A similar bug report can be found here and is backported to at
least Java 8u51 which I tested. Yet again they managed to increase
startup time for our application.
END UPDATE
We are using Java Web Start for an Eclipse RCP-based application with jars that are all signed.
Startup time is 8s within the IDE, Java version doesn't seem to matter here. With web start the story is different. It becomes (much) worse with every Java update:
7u?? (<60): +2s (10s)
7u60: +5s (13s)
7u75: +15s (23s)
8u31: +12s (20s)
8u40: +21s (29s)
8u51: +23s (31s)
Have you tried your jnlp without versioning? In my experience Java jnlp is very buggy specially if you change the jnlp default values. Versioning support is disabled by support, so try it without versioning and see if it still slow?
For me, I noticed some bugs when I used update="background" value, so I no longer change the default update method. My theory is that Oracle only tests jnlp against default values before they release new Java versions.
Last night a new Java 7 update has been released: 7u65. I have a web application where a service applet is loaded, and after the update, my tests on different PCs did not show issues nor wrong behaviors.
Later, I started to receive issue reports related to my product's Java service applet. All the reports came from users who updated Java JRE to 7u65 (from 7u60):
The applet was not loading at all. I display a "Loading" screen when the application starts, and this was not being displayed. Also, all the services provided by my Java applet were unavailable.
After changing the Java Control Panel's advanced configuration to always show the console (in one of the PCs where this issue happened), I discovered that the applet was not even launching the Java console.
Using the same station where the error happens, trying to access java.com to check the current java version, the Java applet is loaded and the console is displayed without errors.
All tests were performed after clearing Browser and Java Cache, and even after removing the installed certificates (mine is a valid signed applet).
I checked the Java 7u65 release notes and none of the mentioned changes seem to affect my applet. Also, there were no issues while using Java 7u60.
I don't have any clues about what is going on, perhaps because the java update was released hours ago. As the Java console can not be displayed even if I configure Java Control Panel to do so, I can not tell if there is any exception. I can not reproduce the issue in my PCs (Windows 8, nor Windows 7, both at 64 bits), but the issue has been reported on Windows 7 PCs.
One of my friends told me that this seems to be happening on machines where Java 7u60 was in use, and then it was updated to Java 7u65 with no deinstallations. Also, this tends to happen in older OS (ie: WinXP) which is more natural.
I write this question because it seems very odd that some PCs have this issue, and some others not. I'd like to know if any one else is having this issue, knows what could be the reason, or has discovered/applied any solution to it. Also, I'd like to share the solution if I ever happen to find it.
Thanks.
Edit:
External references, related to the same Java version (JRE).
Internet Explorer crashing after updated Java to 7u65: An issue with the same JRE version, this time with Internet Explorer and Firefox.
RS Loading Issue (Java) ~ READ: An issue related to the same JRE version update, this time, in a Java Game.
The future of Java on Windows XP:
This end of support announcement has been misread as "Java no longer works on Windows XP" or "Oracle will stop Java updates from being applied on Windows XP". These statements are not correct.
I just ran into this exact problem with one of my applets.
It looks like some changes were made to the handling of the 'java-vm-args' and 'java_arguments' params in 7u65.
'java_arguments' seems to no longer work, when it is specified, my applet will silently fail without even launching the JVM.
I have had the same problem.
I delete C:\Users\${USER}\AppData\LocalLow\Sun
When i reloaded the web page containg the appelets. The JRE recreated this folder again.
And evrything was OK.
There is no big difference between the folders contents .. but it worked.
It seems to be a bug in the jRE
It seems that oracle has changed something with processing default plugin java arguments,
that caused problem in new java.
When upgrading from older version of java it is possible that value for
deployment.javaws.jre.0.args (or deployment.javaws.jre.1.args)
is not defined in
C:\Users\${USER}\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
If you add
deployment.javaws.jre.0.args=
to deployment.properties, applet will work.
It can be done through Java Control panel also:
Java -> View -> double click on Runtime Parameters cell for java 7u65 to enter edit mode -> OK -> Apply
java-jvm-args solution didn't work for me, applet was launched but arguments were ignored.
Oracle has released an update that resolves this specific issue via version 7u67
http://www.oracle.com/technetwork/java/javase/7u67-relnotes-2251330.html
As Miloš Ratković wrote, if customer hasn't string in deployment.properties
deployment.javaws.jre.X.args=
where x is number of java installation for version 7_65 (number of java installation for particular version is X in string deployment.javaws.jre.X.product=1.7.0_65), Java applet failed to start.
For my case I have a solution - don't pass any arguments for my applet.
In my javascript code for starting applet I'm just comment
<param name="java_arguments" value="some arguments">
string
Also, if you delete the directory C:\Users\${USER}\AppData\LocalLow\Sun, during next startup of java applet java write new deployment.properties with correct java args string
Uninstall java 7 update 65 and reinstall java 7 update 55 Download the windows x86 offline version
Go to Java control panel and uncheck: automatic update
When the next window comes up, click on "do not check"
then click on "apply" and "ok"
close all browsers and reopen them to continue your work
This has worked for me every time so far and I have been doing this for the last two weeks now with "0" issues.
Sorry, this is not the answer. I was trying to verify the feedback about JRE 7u65 not able to accept "java_arguments"; however, I setup a Windows x32 and installed (new) 7u65 without upgrade from any older version. With the "java_arguments", the machine is able to load the applet in IE8 and FF30, when few specific PCs do fail the same applet with upgraded u65.
I have a java web start app that extracts a dll from itself to a temp file, and loads it via System.load("full\path\to\dll").
That completes successfully. However, when I try to invoke the native methods in that dll, I get an UnsatisfiedLinkError with the name of the method.
This is a Windows 7 box, 32 bit 1.7.0_45 (and _51) jre's. This same code works everywhere else except for some computers for 1 customer.
Supposedly the accounts have no local admin permissions (that's normal) and are running Microsoft Security Center Endpoint Protection. Is there some conflict between MS EPP and java's LoadLibrary calls? My google-fu couldn't find it if there is. Or what else could explain this problem?
At first the dll wasn't signed (it's never had to be before), but I tried signing it with our code signing cert to see if that had anything to do with it, but no help.
First of all just put the library file into the application
directory.(ie App Path) Then use System.load(dll_name.dll).It will
surely success. Please check the OS you are using.
For Windows :- Library extension is ".dll"
For Linux :- Library extension is ".so"
So the ".dll" in Linux will give the UnSatisfiedLinkError(Vice versa).
Then also check for the processor Architecture like.
x86
x64
This is a bit of a late followup, but the solution to the problem related to AppSense. It was silently interfering with the load library call because the DLL was being extracted to a temp directory and that violated their policy. The effect was that the library loaded but appeared empty.
We had to sign the dll with our code signing certificate (which the jar's were already signed with), and the customer's AppSense team had to add a rule to allow our signed DLLs to be loaded.
It was a maddening problem. Hopefully this followup helps someone else.
I have a long standing domino application that uses embedded views to display data. This application has been moved from a server 2003, 32 bit, domino 8.5 environment to a new server 2008 R2 64 bit domino 8.5.3 FP6 environment.
I have everything up and working as before with the exception of embedded views. They are giving a SecurityException "Missing required Permissions manifest attribute in main jar: http://*.com/domjava/nvapplet.jar".
I have confirmed that the actionbar.jar, editor.jar, nvapplet.jar, and outline.jar are the current version on the server. I have even replaced them with the version from the IBM download (http://www-01.ibm.com/support/docview.wss?uid=swg21662233).
I can get this to work by displaying the view as HTML instead of Java Applet, but I don't understand what the issue is with the java version?
There were major security changes to Java in relation to applets. You can download the latest applets here.
http://www-01.ibm.com/support/docview.wss?uid=swg21662233
You may need to clear your browser cache if it still persists after that.
[update] The question now mentions that you installed Fixpack 6, installed the Jars then uninstalled Fixpack 6.
When you uninstall a fix pack, it reverts the files it touches back to what they were before the fix pack was installed. Although I have no details on it, it is quite likely that the updated security applets were also added to fix pack 6 (as it's the last fix pack for R8.5.3).
So during the uninstall the applets look the same as FP6 and it reverts them.
To solve this, after the revert you would need to drop in the updated applets again.
If the issue still persists at this point, you need to open the Java Console on your browser and update your question with the logs it generates (as it pertains to the error).
Turns out this situation may have been a little unique, but I will post it here for future reference in case anyone else runs into this. The server was a fresh build of windows and domino all the way up to 8.5.3 FP6. The FP6 installer date stamps the jars in question with the install date of the system. So in my case I had people come to the site, download the jar with a file date newer than 1/17/2014, which is the date of the files IBM put in the fix mentioned above. Those files are a simple flat copy so they always maintain the 1/17/2014 date. Anyway, any user that came and picked up the newer date files 3/1/2014 for example would keep those files or rev date in their local java machine cache and ignore the 1/17/2014 file I had replaced them with, thus they continued to show the problem. Only by manually clearing their cache from the java were they able to pick up the 1/17/2014 file and no longer have the issue.
Actually from what I was told via IBM FP 6, does not include the fixed .jars. That was my main problem assuming it did.