Java 7 update security changes

[Mark Taylor]

Hi all,

Laurent Bourges has pointed out that in the version of Java 7 released
this month (I think it's 7u45 or 7u51, I can't quite tell), new
restrictions have been introduced on deployment of RIAs (WebStart
and Applets).  Details here:

   https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

As far as I can tell this means that WebStart/JNLP applications,
as well as applets, will stop working for users who have the latest
java installations, until/unless the relevant jar files:

   a) have an appropriate "Permissions" attribute in the Manifest
   b) are signed by a trusted Certificate Authority

This appears to be true even if the applications in question don't
need to do any of the things that normally require security permissions.

For JNLP deployers, (a) is easy enough to fix.  (b) however may not be,
since in general it requires that the jar file is signed with a
certificate you have to pay for.  The documentation seems to indicate
that self-signed certificates no longer just give you a scarier
confirmation dialogue, they stop the thing running at all.
So if you can (i.e. if you have access to a trusted certificate),
you should make sure that steps (a) and (b) are satisfied in your
deployed WebStart applications.  I fixed the topcat webstart links
this morning, and JMMC have done theirs.

If I've got this analysis right, it looks like a major pain for
those deploying JNLP applications who do not have access to
(or means of paying for) a trusted certificate.

This message is mainly a heads-up, but if anyone has any comments
or workarounds, or thinks I've got it wrong, please follow it up
on the list.

Laurent spotted this and asked me to post it to the list.
He's probably more on top of the details than I am though,
and can presumably contribute to follow up discussion.

Mark

--
Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-9288776  http://www.star.bris.ac.uk/~mbt/