Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8065891

Security Warning "Allow access to app?" not obeying "Do not show again" checkbox

    Details

    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_2008

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_25"
      Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
      Java HotSpot(TM) Client VM (build 25.25-b02, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows Server 2008 R2 Standard SP1 (Microsoft Windows Ver. 6.1.7601)

      This defect should be version independent with regards to Windows. I would expect to see the same results on Windows 7 or 8, for example.

      It is, however, JRE-version specific (above 7u45).

      Have not verified on Linux, OSX, etc...

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      - Reproducible on JRE versions above 1.7u45 to the most recent 1.8u25.

      - Java Security level set to 'High'.

      - A signed Java applet with a valid certificate from a trusted third party.

      - An HTTPS connection with a valid certificate from a trusted third party.

      - Setting a site exemption on the 'Exception Site List' is of no use. Neither is adding the site certificate/certificate chain and/or jar-signing certificate/certificate chain to the any/all of Java's trusted certificate stores in 'Manage Certificates...' under Java Security.

      - Any Java applet method called from JavaScript (via LiveConnect).

      - Any major browser in a Windows environment.

      A DESCRIPTION OF THE PROBLEM :
      1. SUMMARY:

      Any Java applet method called via JavaScript produces a Java security warning that cannot be dismissed --even though the Security Warning pop-up dialog includes a "Do not show this again for this app and web site" checkbox.

      Even if this checkbox is checked and the applet is run via the 'Allow' button, the same security warning continues to appear on each same-app-and-same-web-site access. The checkbox is disregarded and the user has no other way of preventing this security warning from appearing otherwise (site exception list, installing certificates etc... all unsuccessful).

      All of the other security warnings associated with our applet (applet wants to use the printer, for instance) are dismissible and remember their suppression checkbox.

      The behaviour I am reporting is in direct violation of Java SE documentation. From https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#caller_allowable:

      "If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to your RIA show a security warning, and users have the choice to allow the call or block the call. An option to remember the choice is also provided, and if selected, the warning is no longer shown when the RIA is launched."

      The option to remember the choice is indeed provided. The problem is it is subsequently ignored on repeat launches of the same applet from the same web site. No caches (neither browser nor Java) are being cleared inadvertently in between attempts.


      2. PREREQUISITE SET-UP:

      A properly signed, JAR-packaged Java Applet is signed and deployed with the following JAR manifest attributes:

      ------------------------------------------------------------------------
      ...some attributes etc...
      Application-Library-Allowable-Codebase: *
      Permissions: all-permissions
      Caller-Allowable-Codebase: *
      Codebase: *
      ...more attributes etc...
      ------------------------------------------------------------------------

      Note the use of the star ('*') for pattern-matching the Codebase-related attributes. Even when partial matching is employed (i.e. https://*:8060), this issue occurs. Including or omitting 'Trusted-Library: true' does not remedy the problem either.


      3. DEFECTIVE BEHAVIOUR:

      With a JRE above 1.7u45 installed on the client, over an HTTPS connection, from a bare bones HTML page with an embedded Java applet, when calling methods from said applet via Java LiveConnect, the following Security Warning message always appears - no matter what action the user takes:

      Message Box Title: Security Warning
      ------------------------------------------------------------------------------------------------------------------------------
      Allow access to the following application from this web site?

      Web Site: https://tickets.completeticketsolution.com:8060

      Application: JavaClient
      Publisher: AudienceView Ticketing Corporation

      This web site is requesting access and control of the Java application shown above. Allow access only if you trust the web site and know that the application is intended to run on this site.
       _ ________ _______________
      [_] Do not show this again for this app and web site. [_ Allow _] [_ Do Not Allow _]

      ! More information
      -------------------------------------------------------------------------------------------------------------------------------


      Oracle provides the user with a "Do not show this again for this app and web site" checkbox so that this security warning can be dismissed on future occurrences for this app and this web site --which is exactly what we want.

      However, when utilizing this checkbox (i.e. marking the checkbox and clicking 'Allow'), it is completely ignored on subsequent page loads. The end result is that the user receives this pop-up over and over and over again despite clicking "Do not show this again for this app and web site".

      I would continue to debug this further but Oracle has not released the Java Plug-in source in the OpenJDK.

      REGRESSION. Last worked in version 7u45

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.8.0_25"
      Java(TM) SE Runtime Environment (build 1.8.0_25-b18)
      Java HotSpot(TM) Client VM (build 25.25-b02, mixed mode)

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Call any Java method from an applet in JavaScript via LiveConnect over an HTTPS connection. Ensure all certificates are valid and trusted.

      Please follow the link below to a site set up for Oracle to investigate this bug. It is a bare bones HTML and JavaScript page that launches a stripped down version of the applet: https://tickets.completeticketsolutions.com:8060/Common/Widgets/oracle.htm

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      After the first appearance of the Java Security Warning, the user checks the "Do not show this again for this app and web site." checkbox and then clicks 'Allow'.

      This warning should no longer appear on subsequent method calls to the applet in JavaScript.
      ACTUAL -
      After the first appearance of the Java Security Warning, the user checks the "Do not show this again for this app and web site." checkbox and then clicks 'Allow'.

      Instead of having this warning suppressed by the checkbox action, the warning keeps appearing on subsequent method calls to the applet in JavaScript.

      The checkbox does not do what it expressly says it will and what the Java SE documentation says it will do.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Message Box Title: Security Warning
      ------------------------------------------------------------------------------------------------------------------------------
      |
      | Allow access to the following application from this web site?
      |
      | Web Site: https://tickets.completeticketsolution.com:8060
      |
      | Application: JavaClient
      | Publisher: AudienceView Ticketing Corporation
      |
      | This web site is requesting access and control of the Java application shown above. Allow access only if you trust the web site and know that the application is intended to run on this site.
      | _ ________ _______________
      | [_] Do not show this again for this app and web site. [_ Allow _] [_ Do Not Allow _]
      |
      | ! More information
      -------------------------------------------------------------------------------------------------------------------------------

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      Below is the source for a dummy version of AudienceViewApplet.java:

      package com.audienceview.client.applet;

      import javax.swing.JApplet;
      import netscape.javascript.JSObject;

      public class AudienceViewApplet extends JApplet {
          
          @Override
          public void init() {
              System.out.println("audienceview debug: init()");
          }
          
          public void print(final JSObject data, String successCallback, String errorCallback) {
              System.out.println("audienceview debug: print(final JSObject data, String successCallback, String errorCallback) = " + data.toString() + " " + successCallback + " " + errorCallback);
          }
      }

      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Specifying the exact domain (with no pattern-matching whatsoever using the '*' operator) in the applet's JAR manifest attribute Application-Library-Allowable-Codebase avoids the security warning altogether.

      However, the defect I am reporting is not the security warning itself appearing in the first place but, instead, the inability to dismiss it with the provided "do not show this again" checkbox. We need this box to work as expected.

        Attachments

          Activity

            People

            • Assignee:
              dmarkov Dmitry Markov
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: