JRE Security Warning - UNKNOWN Publisher Blocked in Future Releases - JAR File Manifest Missing Permissions Attribute

(Doc ID 1594575.1)

Last updated on JULY 15, 2017

Applies to:

Oracle Forms - Version 11.1.1.4.0 and later
Information in this document applies to any platform.

Symptoms

In later versions of JRE 1.7, such as  JRE 1.7.0_40 and higher and the latest versions of 1.6,  various security warnings may appear.  Here is one example with 1.7.0_45:

Figure 1

Note that there are actually two warnings here.  The one in red is related to "UNKNOWN publishers" and the one highlighted in yellow is related to issues with the jar file manifest.

The java console will show exceptions similar to the following which are related to the jar file manifest:


Missing Application-Name: manifest attribute for: http://hostname:9001/forms/java/frmall.jar

Missing Permissions manifest attribute for: http://hostname:9001/forms/java/frmall.jar

Missing Codebase manifest attribute for: http://hostname:9001/forms/java/frmall.jar

Missing Application-Name: manifest attribute for: http://hostname:9001/forms/java/frmwebutil.jar

Missing Permissions manifest attribute for: http://hostname:9001/forms/java/frmwebutil.jar

Missing Codebase manifest attribute for: http://hostname:9001/forms/java/frmwebutil.jar

Missing Application-Name: manifest attribute for: http://hostname:9001/forms/java/jacob.jar

Missing Permissions manifest attribute for: http://hostname:9001/forms/java/jacob.jar

Missing Codebase manifest attribute for: http://hostname:9001/forms/java/jacob.jar

 

Changes

Using later versions of the JRE such as 1.7.0_40 and higher and the later versions of 1.6 will result in these messages caused by enhanced security verification features enabled in these versions.   Note that earlier JRE  versions allowed the end user to check a check box stating "I accept the risk and want to run this application". A subsequent dialog box  allowed one to check a check box  stating "Do not show this again for apps from the publisher and location above".  Checking this would import the certificate into the JRE and the code would be considered trusted from then on and cause no further security warnings. This can be seen in the Figure 2 and Figure 3 in <Note  1542463.1>.  This import option is no longer allowed in JRE 1.7.0_40 and later.

IMPORTANT NOTE:  For JRE 1.7.051 and the latest 1.6.0_71 versions that came with the January 2014 Java CPU, Forms installations that do not have manifest <patch 17448420> will be blocked and  untrusted code/jar files will be blocked as well by default.  Depending on the component being blocked, you will see:

No manifest entry -> Error, click here for details

Untrusted jar files  -> Security  Warning Dialog -> Block potentially unsafe components from being run?

 

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms