Mixing Privileged Code and Sandbox Code
Ensuring Application and Applet Security

Contents

Overview

Privileged Java Web Start applications and applets that contain components that are restricted to the security sandbox could potentially be unsafe unless the mixed code was intended by the application vendor. When a program contains both privileged components and sandbox components, security warnings are shown. Note that JavaScript code is restricted to the sandbox and could also cause security warnings to be shown. See Caller-Allowable-Codebase Attribute for information on the manifest attribute for authorizing JavaScript code.

The security warnings state that Java has discovered application components that could indicate a security concern and recommends that you contact the application vendor to ensure that the application components have not been tampered with.

In the dialog, you choose to Block, or Don't Block execution of the application components. You can also click the optional More Information link.

Clicking the Block button blocks potentially unsafe components from running, and the program may terminate. Clicking the Don't Block button causes the application or applet to continue execution with some added protections.

Raising a warning is the default behavior, but there are options available to manage how this situation is handled.


Note: If any concepts are unclear, such as how to modify a manifest file, or how to sign a JAR file, or how to use a deployment configuration file, see For More Information for useful links.

Mixed Code Protection Options for Users

There are two mechanisms for managing how mixed code programs are handled.
Version note: To take advantage of these security enhancements, users need to install the Java SE or Java for Business 6 Update 19 release (or later) and use the new Java Plug-in, which is enabled by default. To use an earlier JRE with the new Java Plug-in, you need to install the Java for Business 5.0 Update 24 release (or later) or the Java for Business 1.4.2_26 release (or later) in order to enable the mixed code security enhancement for those release families.
Note 1: Mixed code checking for the 1.4.2 release is available only for the Windows platform.
Note 2: For Solaris, the new Java Plug-in requires Firefox 3 or later. Netscape 7 and Firefox 2 are not supported.
Note 3: For more information on which platforms are supported by the new plug-in, see the Release Notes for the Next-Generation Java Plug-in.

Deploying Privileged Applications and Applets Securely Without a Mixed Code Warning

This section describes best practices for developers and deployers to protect their applications and applets from being maliciously re-purposed by replacing trusted components with untrusted ones.

Two JAR manifest attributes are available, as of Java SE 6 Update 19, for deploying privileged applications and applets. A warning dialog is not displayed when one of these manifest attributes is included.

Developers and deployers should check their Java Web Start applications and applets to determine if they mix privileged code and untrusted code. If users of these applications and applets may inadvertently download these applications and applets from rogue websites, deploying or re-deploying with one of the following attributes should be considered. Existing signed JARs need to be re-signed after adding these manifest attributes. Note: source code of the classes and resources are not required for re-signing with the manifest entries.

Trusted-Only Attribute

For applications and applets that do not require untrusted components, use the Trusted-Only attribute. No warning dialog is displayed and an application or applet that loads a JAR file containing this attribute does not load any untrusted classes or resources. This attribute prevents a privileged application or applet from being re-purposed with untrusted components. See Trusted-Only Attribute for more information.

Trusted-Library Attribute

For applications and applets that are designed to allow untrusted components, use the Trusted-Library attribute. No warning dialog is shown and an application or applet can load JAR files containing untrusted classes or resources. This attribute prevents components in a privileged application or applet from being re-purposed with untrusted components. See Trusted-Library Attribute for more information about using this attribute.

The Trusted-Library attribute is used for calls between privileged Java code and sandbox Java code. If you have JavaScript code that calls Java code, use the Caller-Allowable-Codebase Attribute.

Mixed Code FAQ

For More Information


Copyright © 1993, 2014, Oracle and/or its affiliates. All rights reserved.