What are the new manifest entries required for applets?

Java 1.7 has recently added new security requirements when running applets. Java now requires additional entries in the manifest files of the jars that the applet use.  If these entries are not present, Java will show warning dialogs raising security concerns. Starting with Java 1.7 update 51, some of these entries are now required and the applet will not run at all of they are missing.

Warning: This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information.

The following Manifest entries should be included in all the jar files that an applet uses:

Permissions – The applet requests permissions by using this attribute.  Because many of our products need to have access to resources on the client computers, such as the printer, files or network connections, Qoppa’s jar files ship with this attribute set to “all-permissions”:

Permissions: all-permissions

Codebase – This entry is used to restrict the applet to run on a specific website, so that it cannot be used in any other website.  Qoppa’s jar files ship with this attribute set to allow deployment on any website, as our products are deployed by our customers in many websites:

Codebase: *

Application-Name – This attribute is used to name the applet when showing security prompts to end users.  Even though this attribute is only used to show the name to end users, Java claims that in future versions, it will not run applets that do not have this attribute.  Qoppa’s jar files ship with this attribute set to the appropriate product name:

Application-Name: Qoppa jPDFNotes

Caller-Allowable-Codebase – This attribute is necessary if the applet will be called from JavaScript in the webpage.  Java methods inside an applet can be accessed from JavaScript code on the webpage.  However, this is now blocked by default unless this attribute is present.  Because Qoppa’s products are designed to be accessible from JavaScript, our jar files ship with this attribute set to allow this:

Caller-Allowable-Codebase: *

Application-Library-Allowable-Codebase – This attribute is only needed when the jar files used by an applet are placed in a different folder on the web server than the HTML or JNLP files used to launch the applet. If the jar files are in a different folder and this attribute is not present, the applet runner will display additional warnings. Because our jar files can be placed in any folder on the web server, our jar files ship with this attribute as follows:

Application-Library-Allowable-Codebase: *

All jar files that the applet uses need to have these attributes in their manifest, otherwise Java will show security warnings as each jar file is loaded.

How to add these manifest entries to the jar file?

Building with ant

Here is the manifest node that we use to add the above manifest attributes when we build our jar webnotes.jar with ant:
<pre>
<jar destfile=”build-output/webnotes.jar”>
<manifest>
<attribute name=”Permissions” value=”all-permissions”/>
<attribute name=”Codebase” value=”*”/>
<attribute name=”Caller-Allowable-Codebase” value=”*”/>
<attribute name=”Application-Name” value=”Qoppa jPDFNotes PDFWebNotes”/>
<attribute name=”Application-Library-Allowable-Codebase” value=”*”/>
</manifest>
<fileset dir=”../jPDFNotesSamples” includes=”qoppa/webNotes/**/*”/>
</jar>
</pre>

To have a look at a jar file that includes these entries, you can open the following jar file and look in the META-INF folder:

https://www.qoppa.com/files/pdfnotes/demo/webnotes.jar

ScreenHunter_01 Jan. 16 09.30
Looking into the META-INF folder of our jar webnotes.jar. Open the Manifest file (MANIFEST.MF) and notice all the attributes present in the manifest.

For more information, read How to add the new manifest entries to your jar through command-line or through an ant build. 

For more information, please have a look at the following page posted by Oracle:

https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html