Recently security vulnerabilities were discovered in the Java Plug-In1. As a protection for the end user, Java in most browsers was disabled promptly. What do the 'Java disabled' warnings look like?
Does the blocking of applets also affect Java Web Start apps. (they are launched from a link in a web page) aimed at desktop use?
Security vulnerability in the Oracle Java Plug-In. For more details see:
The JRE 1.7 Vulnerability Q&A at SO.
Oracle Security Alert for CVE-2013-0422
The Java™ SE Development Kit 7, Update 11 (JDK 7u11) release notes - the version in which the vulnerability was fixed.
What do the 'Java disabled' warnings look like?
This is how Oracle's test Java page appears now. It is an embedded applet.
FireFox
Chrome
Message in yellow bar at top of browser:
Java(TM) was blocked because it is out of date. Update plug-in... Run this time - learn more x
Shown in place of applet, and on right click produces menu..
Note re version 1.7.0_11
Java version 1.7.0_11 that fixes the bug, mentioned in the last link in the question, does not enable the browsers again. Those warnings above were seen despite that this info. can be seen after enabling the plug-in for either browser..
It might indicate that the Oracle fix for the bug is to permanently load applets in this 'prompted for every one' way. That might not be a bad thing.
Does the blocking of applets also affect JWS apps?
No it does not. Just applets (and applets embedded using JWS).
Here is how you might see a JWS app. deployed using deployJava.js which (checks for the JRE and) shows an icon like this (without prompt - if installed).
If launching (for example) the JavaFX 1.2 demo. - Powerful UI Capabilities With Node-Based Controls I see the icon for launching the JWS app. At the same (security vulnerability) time I still see that warning on the applet mentioned above.
Note that the Java FX demo. does itself have security risks/prompts for 'application components that might indicate a security concern' from 'mixing signed & unsigned code'.
Related
21st century.
Apache Pivot web site.
Latest release July 04, 2017, Pivot 2.0.5
Demos page: https://pivot.apache.org/demos/
Clicking any demo causes the following banner appear:
I tried in Chrome, Firefox and Opera.
If click More info it passes you to java download page: https://java.com/en/download/win10.jsp
How to fix?
I don't want to download and install latest JRE. I have JDK/JRE version installed and satisfied by it. I want it to run.
That message is telling you that the page is trying to run a Java applet (that's what the Java plug-in does).
If you want to run a Java applet, you'll have to use an obsolete (or minor brand) browser, which obviously one doesn't recommend.
Chrome and Firefox have both dropped support for the Java plug-in (and support for NPAPI plugins in general, although they've whitelisted Flash for a little while), and Edge never had it. Reasons for this vary depending on who you ask and when you ask them, but essentially A) The Java plug-in had a long history of security issues, B) Supporting the underlying NPAPI is a non-trivial technical debt that browser vendors no longer want to carry, C) Now that the web has matured a great deal, with native video, animation, etc., the need for NPAPI-style plugins is greatly reduced.
A signed Java applet will run in IE11 if you tell your Java installation to allow it (on the Java configuration applet's Security tab). I have no idea whether an unsigned one will. I hope not.
Otherwise, you can't run the Java applet. Because this is the 21st century. :-)
If you inspect the page Apache pivot uses Applet: org.apache.pivot.wtk.BrowserApplicationContext$HostApplet with signed jar as pivot-core-2.0.5.signed.jar.
It calls runApplet and fails on check:
if(document.readyState=="complete"){
clearInterval(B);h()}},15);
k("[runApplet()] Java Plug-in is not supported by this browser");return
}
The support of Applet technology is down due to security issues. see great explanation in superuser site.
My corporate web application is using Java applet to access users file system. There is no way for us to replace it with anything else for now.
How do I enable Java in Microsoft Edge?
As other folks have mentioned, Java, ActiveX, Silverlight, Browser Helper Objects (BHOs) and other plugins are not supported in Microsoft Edge. Most modern browsers are moving away from plugins and toward standard HTML5 controls and technologies.
If you must continue to use the Java plugin in a corporate web app, consider adding the site to an Enterprise Mode site list. This will automatically prompt the user to open in IE.
You cannot open Java Applets (nor any other NPAPI plugin) in Microsoft Edge - they aren't supported and won't be added in the future.
Further you should be aware that in the next release of Google Chrome (v45 - due September 2015) NPAPI plugins will also no longer be supported.
Work-arounds
There are a couple of things that you can do:
Use Internet Explorer 11
You will find that in Windows 10 you will already have Internet Explorer 11 installed. IE 11 continues to support NPAPI (incl Java Applets).
IE11 is squirrelled away (c:\program files\internet explorer\iexplore.exe). Just pin this exe to your task bar for easy access.
Use FireFox
You can also install and use a Firefox 32-bit Extended Support Release in Win10. Firefox have disabled NPAPI by default, but this can be overridden. This will only be supported until early 2018.
Edge has dropped all support for plugins. This means that Java, ActiveX, Silverlight, and other plugins are no longer supported. For this reason Microsoft has included Internet Explorer 11, which does support these plugins, with non-mobile versions of Windows 10. If you are running Windows 10 and need plugin support Edge is not an option, but IE 11 is.
About this, java declares that on Windows 10, Edge browser does not support plugins, so it will NOT run java.
(see https://www.java.com/it/download/win10.jsp --> only visible with edge in win10)
It also reports a notice: java is not officially supported yet in Windows 10.
(see https://www.java.com/it/download/faq/win10_faq.xml)
IE11 do accept Java according to the link below :
http://windows.microsoft.com/en-us/internet-explorer/install-java#ie=ie-11
And firefox also intended to remove NPAPI by the end of 2016 according to :
https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/
That Java Applets are not working in modern browsers is known but there is a quick workaround which is activate the Microsoft Compatibility Mode. This mode can be activated in your Edge browser and you can select to open the pages on the IE compatibility mode, and in this fashion the ActivX and Java and so works as in IE11.
M Edge in IE mode supports the following Internet Explorer functionality:
All document modes and enterprise modes
ActiveX controls (such as Java or Silverlight)
As refs:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWEHMs
I hope you are doing well.
You can download add edge extension on MS edge browser that will allow you to run java applet.
You can try the extension called : CheerpJ Applet Runner
I'm the author of Wordle, one of the few surviving Java applets in the wild.
Recently, I received user reports of warnings that my (signed) applet would soon be blackballed by the JRE because it did not explicitly specify a "Permissions" attribute in its manifest. So, now the MANIFEST.MF correctly specifies
Permissions: sandbox
and the <applet> tag includes the magical
<param name="permissions" value="sandbox" />
param, as documented.
Now, folks who have bent over backwards to install the OS X JRE 7 can run Wordle with no difficulty, but folks (like many school IT admins) stuck on JRE 6 cannot run the applet at all; they get
java.lang.SecurityException: JAR manifest requested to run in sandbox only:
http://wordle.appspot.com/j/v1390/wordle.jar
at com.sun.deploy.security.DeployManifestChecker.verify(DeployManifestChecker.java:106)
at com.sun.deploy.security.DeployManifestChecker.verify(DeployManifestChecker.java:84)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:319)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:280)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:270)
at sun.plugin2.applet.Plugin2Manager.isAppletSigned(Plugin2Manager.java:3289)
at sun.plugin2.applet.Plugin2Manager.createApplet(Plugin2Manager.java:3207)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Plugin2Manager.java:1536)
at java.lang.Thread.run(Thread.java:695)`
The symptom suggests that the Java 6 plugin assumes that the signed applet should run in all-permissions mode, and thinks that the request for sandbox in the manifest is an error. It ignores, in other words, the permissions param in the applet tag.
Does anyone know of any way for me to help my users other than setting the applet to run in all-permissions mode? I'd prefer to stay sandboxed, both because I don't want people to be afraid to use Wordle, and because I don't want to create an attack surface.
Reply from Apple to my bug report.
Apple Developer Relations15-Aug-2014 05:12 PM
Engineering has determined that this is an issue for a third party to
resolve based on the following:
This issue is with the Oracle manifest checker, which is in conflict
with the instructions Oracle has given developers to run applets in
Java 7.
We delivered Oracle's Java SE 6 security checker, as they designed in
our version of Java SE 6. It is mutually incompatible with future
versions of Java, but there is nothing Apple will do to address it,
since we are no longer support Java SE 6 on 10.6.8.
We are now closing this bug report.
If you have questions regarding the resolution of this issue, please
update your bug report with that information.
Please be sure to regularly check new Apple releases for any updates
that might affect this issue.
In other words, they don't support Apple Java any more (even though anyone with OS X 10.6.8 or earlier is forced to use Apple Java), so they're blaming this on Oracle's original spec - which apparently Oracle themselves didn't follow, or this same bug would exist for Oracle Java 6.
Okay, I tried A LOT! If not everything! I'm pretty sure there is NO WAY to let a self signed applet run in sandbox mode with the latest update (1.6.0_65-b14-462-10M4609).
The only chance I had was to
downgrade to 1.6.0_51
remove Permissions tag and param completely
from manifest and applet-tag
Is there a way to detect if java is installed on your machine or if java is disabled on the browser. We use java applets in our application but before the applet is loaded we use "deployJava.js". Sadly even if Java is disabled on the browser it says java is not installed.
So is there way to differentiate if Java is installed or Java is disabled, preferably using javascript. I have also tried using "navigator.javaEnabled()" but it gives me the same result as using "deployJava.js".
You can't.
And that would be very annoying if you could. There's already enough information leaking from the browser to the page, if it started telling people what I have installed but that I have ostensibly disabled, that would be very annoying.
I guess it could be possible and useful to envision an API for that, but in the current state there isn't any: either the plugin is here to be used, or it isn't. It doesn't matter whether it's installed or not.
I guess you'll have to work around it by stating in your user-facing messages that Java either needs to be installed or enabled. Or you could offer to download a diagnostic tool to run it and check it locally, that could be another working alternative, though with the obviously annoying extra-steps to perform (and an additional tool for you to support).
Add a redirect to the HTML page in question. Redirect to javaNotEnabledOrNotInstalled.html (but think of a less descriptive and silly name for it).
Early in the applet init(), call JS to cancel the redirect.
Note also that in the traditional applet element..
<applet
code=..
width=..
height=..
alt='Java is installed but disabled!'>
No Java Plug-In installed in this browser. Get Java free from..
</applet>
In this circumstance, if Java is not installed at all, the user should see..
No Java Plug-In installed in this browser. Get Java free from..
However if Java is installed but disabled, they should see..
Java is installed but disabled!
Here is something js window.navigator.plugin
I am deploying a signed & trusted applet. We need to run the applet in a separate JVM & increase the heap size. Setting separate_jvm & java_arguments works on our local boxes. Curiously we have clients that though they are using 1.6.0_15 don't seem to be running the new plugin architecture.
When I check their Java config, "use next-generation plugin" is checked & IE7's option "use Java 1.6.0_15 for applet plugin" is also checked. Nothing seems obviously wrong. The Java console also reports the correct version, but neither separate_jvm nor java_arguments are respected.
Just as a sanity check we wrapped the applet in a JNLP & set up our web page to serve the applet with a jnlp_href. The applet tag had a bogus code parameter to ensure the JVM was actually running the JNLP. The Java console complains that it cannot find the bogus class when it should be properly loading the JNLP.
Are there security settings or something else that might cause what I'm seeing?
I'm afraid I've just a few suggestions rather than an absolute answer.
The Java virtual machine version
and plug in version can be
different. Go to Control Panel,
Java, Runtime Environment settings.
When you check the console it may
show the two different versions.
The new plugin architecture would
depend on browser, Opera doesn't use
it at all, for example. IE7 does
though. So check which browser it
works on.
Java has got corrupted due to
repeated installs and uninstalls.
Pretty common complaint I've found.
If you have control over one of the
machines you should uninstall every
Java. Restart machine. Install
latest Java.