Why does Java tell me my applet contains both signed and unsigned code?

Question

My signed Java applet has been running fine until Java update 19. Now some but not all of our users on Java Update 19 report a java security message stating that our applet contains both signed and unsigned code.

The process for creating our applet is as follows:

1. Clean and Build the applet project in Netbeans IDE.
2. Open the Applet jar file in WinRAR and add the required mysql JDBC driver .class files to the jar file.
3. Sign the applet jar file.

Can someone please tell me how to determine what code is signed and what code is not signed in our applet? Is there a better way to include the mysql JDBC driver jar file in our applet other than copying the jar file contents into our applet jar file?

Thanks

Answer 1

Some things to try:

• Go to the java plugin control panel ($JAVA_HOME/bin/ControlPanel).
• Go to the Advanced tab.
• Expand Debug
• Check Enable tracing, Enable logging, and Show applet lifecycle exceptions
• Expand Java console
• Check Show console
• Click OK (or Close, depending on your OS)

When your applet loads the Java console will open. Click on it and immediately press '5'. It will log the jars and classes being fetched to run your applet. Somewhere in this there should be a message indicating what jars or classes are consider "unsigned". If you miss it the first time, just reload the window to try it again.

Answer 2

EDIT: Due to a bug in Java 7 Update 45 you should not add Trusted-Library to your manifest file. Just add the new attribute Caller-Allowable-Codebase. See this question for more info: Java applet manifest - Allow all Caller-Allowable-Codebase

Java 7 Update 21 was released on April 16 2013 and caused our applet to start showing this warning dialog.

Per the release notes: As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.

To fix this edit your manifest.mf file and add a line like this:

Trusted-Library: true

You should be very careful before doing this though. If your signed applet can be called from javascript then a malicious user can potentially do harmful things on your users' computers.

One quick way to secure your applet is to prevent it from being run on other websites. Do this by putting code in the init() method that looks at getCodeBase().getHost() and throws an exception if it does not match your site.

Java 7 Update 25 introduces another way to limit the sites where your applet can be run. You can set the Codebase attribute in your manifest file like this:

Codebase: test.example.com www.example.com

Java 7 Update 45 (releated October 16 2013) introduces more changes to the LiveConnect system (javascript-to-applet bridge) that may cause another prompt. This article talks about the 7u45 changes: https://blogs.oracle.com/java-platform-group/entry/liveconnect_changes_in_7u45

Basically you'll also want to add the following to your manifest file to avoid the prompts:

Caller-Allowable-Codebase: test.example.com www.example.com

If you are selling a product that includes an applet and you don't know what domains it can be deployed on you can populate * here.

Answer 3

Mixing trusted and untrusted code together is a vulnerability that has been fixed in the 6u19 (the current CPU/SSR release at the time of writing). See the docs. Blocking the mix or using a debugger should show where the problem is.