Liveconnect Applet problems
Solution 1
Today I ran into this problem on Ubuntu 14.10, Firefox 35.0.1 & Oracle Java JRE 1.8.0_31. It is related in some way to JRE utility class in deploy.jar which doesn't work properly on Linux (NativeMixedCodeDialog). On Windows, when you try to access Liveconnect (which implies MIXED security mode) a dialog is shown by this class to kindly ask you for a confirmation. This, for some unknown reasons, doesn't happen on Linux.
You can easily try to check this, by running this command:
/usr/lib/jvm/java-8-oracle/jre/bin/java -cp /usr/lib/jvm/java-8-oracle/jre/lib/deploy.jar com.sun.deploy.uitoolkit.ui.NativeMixedCodeDialog "Some Aplet" "Web Site:" "https://localhost" "Publisher:" "Some publisher" "Do not show this again for this app and web site."
My solution was to use Deployment Rule Set to force Java to trust my app.
This might be a no-go for production use, but it let me develop further until this NativeMixedCodeDialog
gets fixed.
So straight to the point:
- Create a file named ruleset.xml
-
Fill it with content according to this documentation, for ex.
<?xml version="1.0" encoding="UTF-8"?> <ruleset version="1.0+"> <rule> <id location="https://localhost/" /> <action permission="run" version="SECURE" /> </rule> </ruleset>
-
Put this into jar
jar cvf DeploymentRuleSet.jar ruleset.xml
-
Sign this jar with certificate valid in
cacerts
, it might be self-signed certificate, but it needs to be found in java cacert file, not just trusted in control paneljarsigner -verbose -keystore ~/selfsigned.p12 -storetype pkcs12 DeploymentRuleSet.jar selfsigned
Copy signed jar to
/etc/.java/deployment/
- Possibly restart your browser everything should be working fine
Solution 2
The answer from @Seba was fantastic, but I can add some commands that you might need:
Create self signed certificate:
~/CERTIFICATE $ keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -validity 360 -keysize 2048
Export the key from the keystore:
keytool -exportcert -alias selfsigned -keystore keystore.jks -rfc -file selfsigned.cer
Export/Convert the jks keystore into PKCS12 keystore (possibly redundant if you can sign with the ".jks" keystore instead of ".p12" in later step, I did not try):
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
Find the cacerts keystore for your java:
locate cacerts
...
/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
Import key into cacerts:
sudo keytool -import -alias selfsigned -file selfsigned.cer -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts
And now you create the ruleset.xml file (omit location for "everything", which obviously defeats the security):
<?xml version="1.0" encoding="UTF-8"?>
<ruleset version="1.0+">
<rule>
<id />
<action permission="run" />
</rule>
</ruleset>
Jar it up:
jar cvf DeploymentRuleSet.jar ruleset.xml
Sign it:
jarsigner -verbose -keystore ~/CERTIFICATE/keystore.p12 -storetype pkcs12 DeploymentRuleSet.jar selfsigned
And finally, even though there is a .java/deployment directory in your user's directory, you DO need to copy it to the (possibly non-existent) directory /etc/.java/deployment
At least for Firefix, you do not need to restart the browser, as long as you kill the java-process that the browser has started. If it is the only java-process around, then running the following command should do it:
killall java
Mattos
Updated on June 04, 2022Comments
-
Mattos almost 2 years
Cannot call applet methods from javascript. A error appears on the log
-> liveconnect: Security Exception: JavaScript from http:url:port/application attempted to access a resource it has no rights to.
Manifest-Version: 1.0 Application-Name: application Created-By: Apache Maven 3.0.4 Caller-Allowable-Codebase: * Application-Library-Allowable-Codebase: * Build-Jdk: 1.7.0_72 Permissions: all-permissions Codebase: *
The java security setting is set to meddium
JRE Version 1.8.0_25-b17
Applet Signed by a trusted source, and the applet jar is downloaded from the same domain as the calling page.
If I try to call the applet method from firebug javascript console another error shows up: Error: Liveconnect call for Applet ID 4 is not allowed in this JVM instance
The applet TAG:
<applet id="applet" code="applet.core.AppletBootstrap" codebase="/applet" archive="applet.jar" width="650" height="500" mayscript="mayscript"> <param name="cache_archive" value="applet.jar"/> <param name="cache_version" value="2.4.17.2,2.4.17.2,2.4.17.2,2.4.17.2,2.4.17.2"/> <param name="conversationId" value="e00ed781a56a4378a285d7839a9925bf"/> <param name="userAgent" value="Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.65 Safari/537.36" /> <param name="java_status_events" value="true"/> <param name="separate_jvm" value="true"/> <param name="classloader_cache" value="false"/> <param name="java_arguments" value="-Xmx128m -Djnlp.packEnabled=true "/> </applet>
EDIT: @Seba JDK-8058697 is a OpenJDK bug related to this issue, unfortunately it is not accessible to me - You can see a duplicate of it: here
EDIT 2: Java 8 update 40 is working again
-
Seba about 9 yearsJDK-8058697 is a OpenJDK bug related to this issue, unfortunately it is not accessible to me - You can see a duplicate of it: here
-
stolsvik about 9 yearsThanks - lifesafer! I added some extra commands to this in my own answer (how to generate the selfsigned cert etc)
-
Mattos about 9 yearsIt worked, im gonna mark your answer as the right one, and upvote the @stolvik answer.