Aladin.jar new signature - Java 7 update security changes

[Pierre Fernique]

Hi all,

Just a short announcement about Aladin.

Since Friday 31 January 2014, the Aladin jar package 
(http://aladin.u-strasbg.fr/java/Aladin.jar (version 7.5) and 
http://aladin.u-strasbg.fr/java/AladinBeta.jar (version 8.xxx)) are 
signed with a trusted Certificate Authority allowing users to launch 
them remotely even with the last Oracle Java update.

If you are distributing Aladin as an Applet or a WebStart from your own 
Web servers, download and replace your jar package by this new one for 
supporting the new Oracle security policy (notice that there is no need 
to install this new package for a standalone usage).

Best regards
Pierre Fernique

Le 14/01/2014 15:58, Mark Taylor a écrit :
> Hi all,
>
> Laurent Bourges has pointed out that in the version of Java 7 released
> this month (I think it's 7u45 or 7u51, I can't quite tell), new
> restrictions have been introduced on deployment of RIAs (WebStart
> and Applets).  Details here:
>
>     https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
>
> As far as I can tell this means that WebStart/JNLP applications,
> as well as applets, will stop working for users who have the latest
> java installations, until/unless the relevant jar files:
>
>     a) have an appropriate "Permissions" attribute in the Manifest
>     b) are signed by a trusted Certificate Authority
>
> This appears to be true even if the applications in question don't
> need to do any of the things that normally require security permissions.
>
> For JNLP deployers, (a) is easy enough to fix.  (b) however may not be,
> since in general it requires that the jar file is signed with a
> certificate you have to pay for.  The documentation seems to indicate
> that self-signed certificates no longer just give you a scarier
> confirmation dialogue, they stop the thing running at all.
> So if you can (i.e. if you have access to a trusted certificate),
> you should make sure that steps (a) and (b) are satisfied in your
> deployed WebStart applications.  I fixed the topcat webstart links
> this morning, and JMMC have done theirs.
>
> If I've got this analysis right, it looks like a major pain for
> those deploying JNLP applications who do not have access to
> (or means of paying for) a trusted certificate.
>
> This message is mainly a heads-up, but if anyone has any comments
> or workarounds, or thinks I've got it wrong, please follow it up
> on the list.
>
> Laurent spotted this and asked me to post it to the list.
> He's probably more on top of the details than I am though,
> and can presumably contribute to follow up discussion.
>
> Mark
>
> --
> Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
> m.b.taylor at bris.ac.uk +44-117-9288776  http://www.star.bris.ac.uk/~mbt/