I read on the web that Java version 7u51 (to be released in January 2014) will no longer accept Java Webstart applications that are self-signed by me.
我在网上看到Java版本7u51(将于2014年1月发布)将不再接受我自签名的Java Webstart应用程序。
Is that true?
真的吗?
In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?
如果确实如此,我是否有机会为我的JNLP应用程序构建变通方法,以便我能够在2014年1月之后启动应用程序?
I have seen that the option to suppress the security warnings because of the usage of a self-signed certificate was removed in 7u40.
我已经看到在7u40中删除了因使用自签名证书而禁止安全警告的选项。
7 个解决方案
#1
29
Yes, this is true. This blog entry from Oracle has the details.
是的,这是真的。这篇来自Oracle的博客文章有详细信息。
As I understand it, you have three options for continuing to work:
据我了解,您有三种选择继续工作:
- Sign your app with a trusted cert
- Normally, this is done by acquiring a cert from one of the vendors whose root certs are trusted by Java by default.
- 通常,这是通过从默认情况下由Java信任其根证书的供应商之一获取证书来完成的。
- You can also use a self-signed certificate if your community of users is controlled (e.g. all within a managed corporate network, or all students in the same intro to programming class).
- 如果您的用户社区受到控制,您也可以使用自签名证书(例如,在托管公司网络中,或者在编程类的同一介绍中的所有学生)。
- 使用受信任的证书对您的应用进行签名通常,这是通过从默认情况下由Java信任其根证书的供应商之一获取证书来完成的。如果您的用户社区受到控制,您也可以使用自签名证书(例如,在托管公司网络中,或者在编程类的同一介绍中的所有学生)。
- Have your end users configure their machines to trust your app despite it being self-signed
- via deployment rule sets (Oracle's intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
- 通过部署规则集(Oracle的意图是DRS仅用于企业环境,您可以通过集中管理技术推出此配置更新)
- via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
- 通过例外站点列表(我相信这与DRS类似,但对于没有集中管理的个别最终用户)
- 让最终用户配置他们的机器以信任您的应用程序,尽管它是通过部署规则集进行自签名的(Oracle的意图是DRS仅用于企业环境,您可以通过集中管理技术推出此配置更新)通过例外站点列表(我相信这与DRS类似,但对于没有集中管理的个别最终用户)
- Have your users lower their security slider from High (the default) to Medium
- 让您的用户将安全性滑块从“高”(默认值)降低到“中”
See also my question about obtaining pre-release versions of these updates to test with.
另请参阅我关于获取这些更新的预发布版本以进行测试的问题。
#2
15
Oracle just announced that a new feature called the Exception Site List will be available in 7u51.
甲骨文刚宣布将在7u51中推出名为Exception Site List的新功能。
If it means what I think it means, then in-house-only apps who are currently self-signing their jars can simply ask their users to whitelist the app without the user having to do anything "complicated" for an end user, like importing a cert (for example).
如果这意味着我认为这意味着什么,那么目前只在内部自行签名的内部应用程序可以简单地要求用户将应用程序列入白名单,而无需用户为最终用户执行任何“复杂”操作,例如导入证书(例如)。
UPDATE:
更新:
Java 7u51 was just released, and I can confirm that the Exception Site List solution works quite easily. Just go to Java Control Panel -> Security -> Edit Site List, and add the URL of the self-signed JNLP app to the list of Locations.
Java 7u51刚刚发布,我可以确认异常站点列表解决方案非常容易。只需转到Java控制面板 - >安全性 - >编辑站点列表,然后将自签名JNLP应用程序的URL添加到位置列表中。
#3
3
This is for Windows ONLY
这仅适用于Windows
Go to Java configuration in Windows, "java configure", choose "Security" tab and Choose "Edit Site List", add your self signed url into the list.
转到Windows中的Java配置,“java configure”,选择“安全”选项卡并选择“编辑站点列表”,将自签名URL添加到列表中。
Sometimes you need to add the full url of the java application into the list to make it work, you cannot just add https://xxx.abc.com, should be https://xxx.abc.com/application_blah_blah instead.
有时您需要将java应用程序的完整URL添加到列表中才能使其正常工作,您不能只添加https://xxx.abc.com,而应该是https://xxx.abc.com/application_blah_blah。
After added the url, restart the java application by input that url in the browser, it will work.
添加url后,通过在浏览器中输入url重新启动java应用程序,它将起作用。
#4
2
Is that true?
真的吗?
Don't know, but had heard the same. What is your source?
不知道,但听过同样的话。你的来源是什么?
In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?
如果确实如此,我是否有机会为我的JNLP应用程序构建变通方法,以便我能够在2014年1月之后启动应用程序?
The only realistic way to deploy code in that situation is have it signed using a digital certificate from a Certification Authority (i.e. signed, but not self-signed).
在这种情况下部署代码的唯一现实方法是使用来自证书颁发机构的数字证书进行签名(即签名但不能自签名)。
Any 'workaround' would be a security bug. So if you find one, please let us know so we can raise a bug report and get it fixed.
任何“解决方法”都是安全漏洞。因此,如果您找到一个,请告诉我们,以便我们可以提出错误报告并将其修复。
#5
1
I have a self-signed app that just needs to run through the end of the semester (December), so I won't be affected by the January deadline. However, we are experiencing trouble even with earlier builds. This just started last week (perhaps due to some kind of automatic update). The JRE is build 40.
我有一个自签名的应用程序,只需要在学期结束(12月),所以我不会受到1月截止日期的影响。但是,即使使用早期版本,我们也遇到了麻烦。这刚刚开始于上周(可能是由于某种自动更新)。 JRE是40。
I changed the manifest file to include the required attributes of permission and codebase and then re-signed the jar, but it still causes a security block to appear at our school.
我更改了清单文件以包含权限和代码库所需的属性,然后重新签名了jar,但它仍然会导致我们学校出现安全块。
Can anyone suggest other steps I should take? Is a commercial certificate my only option?
谁能建议我应采取的其他步骤?商业证书是我唯一的选择吗?
Thanks, Nina
谢谢,妮娜
#6
1
for me..sel-signed web is working when changed security setting to Medium..
对我来说,当安全设置更改为中等时,已签名的网站正在运行。
#7
1
Check out Java official help to allow the access:
查看Java官方帮助以允许访问:
控制不受信任的程序
#1
29
Yes, this is true. This blog entry from Oracle has the details.
是的,这是真的。这篇来自Oracle的博客文章有详细信息。
As I understand it, you have three options for continuing to work:
据我了解,您有三种选择继续工作:
- Sign your app with a trusted cert
- Normally, this is done by acquiring a cert from one of the vendors whose root certs are trusted by Java by default.
- 通常,这是通过从默认情况下由Java信任其根证书的供应商之一获取证书来完成的。
- You can also use a self-signed certificate if your community of users is controlled (e.g. all within a managed corporate network, or all students in the same intro to programming class).
- 如果您的用户社区受到控制,您也可以使用自签名证书(例如,在托管公司网络中,或者在编程类的同一介绍中的所有学生)。
- 使用受信任的证书对您的应用进行签名通常,这是通过从默认情况下由Java信任其根证书的供应商之一获取证书来完成的。如果您的用户社区受到控制,您也可以使用自签名证书(例如,在托管公司网络中,或者在编程类的同一介绍中的所有学生)。
- Have your end users configure their machines to trust your app despite it being self-signed
- via deployment rule sets (Oracle's intention is that DRSs are only to be used in corporate environments, where you can push out this configuration update via a centralized management technology)
- 通过部署规则集(Oracle的意图是DRS仅用于企业环境,您可以通过集中管理技术推出此配置更新)
- via the exception site list (I believe this is intended to be analogous to DRSes, but for individual end users without centralized management)
- 通过例外站点列表(我相信这与DRS类似,但对于没有集中管理的个别最终用户)
- 让最终用户配置他们的机器以信任您的应用程序,尽管它是通过部署规则集进行自签名的(Oracle的意图是DRS仅用于企业环境,您可以通过集中管理技术推出此配置更新)通过例外站点列表(我相信这与DRS类似,但对于没有集中管理的个别最终用户)
- Have your users lower their security slider from High (the default) to Medium
- 让您的用户将安全性滑块从“高”(默认值)降低到“中”
See also my question about obtaining pre-release versions of these updates to test with.
另请参阅我关于获取这些更新的预发布版本以进行测试的问题。
#2
15
Oracle just announced that a new feature called the Exception Site List will be available in 7u51.
甲骨文刚宣布将在7u51中推出名为Exception Site List的新功能。
If it means what I think it means, then in-house-only apps who are currently self-signing their jars can simply ask their users to whitelist the app without the user having to do anything "complicated" for an end user, like importing a cert (for example).
如果这意味着我认为这意味着什么,那么目前只在内部自行签名的内部应用程序可以简单地要求用户将应用程序列入白名单,而无需用户为最终用户执行任何“复杂”操作,例如导入证书(例如)。
UPDATE:
更新:
Java 7u51 was just released, and I can confirm that the Exception Site List solution works quite easily. Just go to Java Control Panel -> Security -> Edit Site List, and add the URL of the self-signed JNLP app to the list of Locations.
Java 7u51刚刚发布,我可以确认异常站点列表解决方案非常容易。只需转到Java控制面板 - >安全性 - >编辑站点列表,然后将自签名JNLP应用程序的URL添加到位置列表中。
#3
3
This is for Windows ONLY
这仅适用于Windows
Go to Java configuration in Windows, "java configure", choose "Security" tab and Choose "Edit Site List", add your self signed url into the list.
转到Windows中的Java配置,“java configure”,选择“安全”选项卡并选择“编辑站点列表”,将自签名URL添加到列表中。
Sometimes you need to add the full url of the java application into the list to make it work, you cannot just add https://xxx.abc.com, should be https://xxx.abc.com/application_blah_blah instead.
有时您需要将java应用程序的完整URL添加到列表中才能使其正常工作,您不能只添加https://xxx.abc.com,而应该是https://xxx.abc.com/application_blah_blah。
After added the url, restart the java application by input that url in the browser, it will work.
添加url后,通过在浏览器中输入url重新启动java应用程序,它将起作用。
#4
2
Is that true?
真的吗?
Don't know, but had heard the same. What is your source?
不知道,但听过同样的话。你的来源是什么?
In case it is true, do I have any chance to build a workaround for my JNLP application, so that I am able to start the application even after January 2014?
如果确实如此,我是否有机会为我的JNLP应用程序构建变通方法,以便我能够在2014年1月之后启动应用程序?
The only realistic way to deploy code in that situation is have it signed using a digital certificate from a Certification Authority (i.e. signed, but not self-signed).
在这种情况下部署代码的唯一现实方法是使用来自证书颁发机构的数字证书进行签名(即签名但不能自签名)。
Any 'workaround' would be a security bug. So if you find one, please let us know so we can raise a bug report and get it fixed.
任何“解决方法”都是安全漏洞。因此,如果您找到一个,请告诉我们,以便我们可以提出错误报告并将其修复。
#5
1
I have a self-signed app that just needs to run through the end of the semester (December), so I won't be affected by the January deadline. However, we are experiencing trouble even with earlier builds. This just started last week (perhaps due to some kind of automatic update). The JRE is build 40.
我有一个自签名的应用程序,只需要在学期结束(12月),所以我不会受到1月截止日期的影响。但是,即使使用早期版本,我们也遇到了麻烦。这刚刚开始于上周(可能是由于某种自动更新)。 JRE是40。
I changed the manifest file to include the required attributes of permission and codebase and then re-signed the jar, but it still causes a security block to appear at our school.
我更改了清单文件以包含权限和代码库所需的属性,然后重新签名了jar,但它仍然会导致我们学校出现安全块。
Can anyone suggest other steps I should take? Is a commercial certificate my only option?
谁能建议我应采取的其他步骤?商业证书是我唯一的选择吗?
Thanks, Nina
谢谢,妮娜
#6
1
for me..sel-signed web is working when changed security setting to Medium..
对我来说,当安全设置更改为中等时,已签名的网站正在运行。
#7
1
Check out Java official help to allow the access:
查看Java官方帮助以允许访问:
控制不受信任的程序