Java applet: Caller-Allowable-Codebase does not work

Question

I'm getting the dreaded LiveConnect warnings on an in-house self-signed applet. I'm using Java 1.7.0_45. According to what I've read, I should be able to get rid of these by adding Caller-Allowable-Codebase * to my manifest, and removing the Trusted-Library attribute. My ant target for building the applet looks like this:

<jar destfile="MyApplet.jar">
  <manifest>
    <attribute name="Main-Class" value="com.mycompany.MyApplet"/>
    <attribute name="Permissions" value="all-permissions"/>
    <attribute name="Codebase" value="*"/>
    <attribute name="Caller-Allowable-Codebase" value="*"/>
  </manifest>
  [...]
</jar>
<signjar jar="MyApplet.jar" [...] />

Unfortunately, this has no effect; I still get the warning. I have verified that I am running 1.7.0_45, and that the browser isn't using an old cached copy of the applet. The client is Firefox 25.0 running on OS X 10.7.5, for what it's worth... Any ideas would be greatly appreciated!

Answer 1

Found it -- the trick is to import the certificate into the right keystore. I exported the certificate from the keychain I use to build the applet:

keytool -exportcert -file appletkey.cer -alias appletkey -keystore mykeystore

...and then import it into the global cacerts keystore:

keytool -importcert -file appletkey.cer -alias appletkey -keystore $JRE_HOME/lib/security/cacerts -storepass changeit

The tricky part is to figure out which instance of cacerts to import it to; depending on configuration, you may have a whole bunch of JVMs installed, and each one has their own cacerts. On the Mac, the right one turned out to be

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts

and in Windows it is

C:\Program Files (x86)\Java\jre7\lib\security\cacerts

(substiture "Program Files" for "Program Files (x86)" in case you're using a 64-bit JVM.)

I'm assuming in Linux it's $JRE_HOME/lib/security/cacerts as well, where your value of $JRE_HOME will depend on how you installed it.

N.B. I did try importing the cert into a user-specific keystore as well, but I couldn't get that to work. Importing it into the global keystore is a bit brute force but for my use case it is good enough. The initial Java applet warning and the LiveConnect warning are both gone. Also note that this is using the applet manifest exactly as shown above; as other respondents suggested, there was nothing wrong with the manifest, I just had to get the JVM to trust the certificate.

Answer 2

Update: Applet is officially signed by browser trusted CA, not self signed, that was a mistake of me, sorry. Original answer:

I use these attributes in my self signed applet and have only the basic click to run question, that can be marked "don't ask again":

I don't get the live connect warning that shows every time:

The first one is obligatory. Which security warning exactly do you mean?

*Images are reused of other questions and not related to me...

Answer 3

I have observed the same behaviour. My tests indicate that the Caller-Allowable-Codebase manifest attribute only takes effect if the JAR is signed by a trusted certificate. (I signed a JAR with an untrusted cert, and the warning appeared. I signed the same JAR with a trusted cert, and the warning didn't appear).

If you can't use a certificate from an already trusted CA, you might try to configure the local Java installations to trust your certificate, or use deployment rulesets to suppress the warning.