Oracle released a new Java update for Java 7 (Update 51). This will make Servoy stop working. See this thread.
BE AWARE: this is on both Mac OS X and Windows (haven’t tested it yet on Linux)
to “dim” this a bit down, it works fine except a few things must then be in place:
1> everything must be signed with a valid certificate (self signed in the default security setting will not work anymore, or you must import your certificate in all your smart clients java keystores…)
2> all the permissions must be set in the manifest (use the latest servoy, or use the latest signtester tool with your own valid certificate)
Deploying Smart Client applications is becoming a risky business. This is very unfortunate -especially for those of us that need the power and speed provided by the desktops.
Java & security was/is a hot topic, and I’m happy that the time for self-signed (read: invalid & not verified) certificates, is over!
self signed doesn’t have to be really unsecure
I think it can even be way better… But then the only requirement is that you get your certificate securely to your clients (so through usb stick of through another secure way of transport)
and that certificate is then imported into the certificate store on the client machines.
Then those client do trust your site and the only thing that is a trusted source is your self and your certificate (That they did get in a secure way)
If for example you did get your certificate by Comondo and their root certificate is hacked. Then everything that the signed with that is immediately invalid and unsecure.
With your own certificate this is never a problem because the only “root” is yourself.
If it seems like Servoy is specifically targeted by Oracle every time something like this happens, the Java 7 update 51 is creating havoc across the board. VPN, teleconferencing, internal business apps – all having issues if not completely stop working. IT departments are not happy – tech memo from a large company here in town:
Last week, Oracle released a new version of the Java runtime client, Java 7 update 51. This update has prompted many questions from those that regularly visit sites that require Java. For compatibility reasons we typically we do not update the Java client every time an update is released. However, Oracle recently embedded in Java a check that will prompt a user to update when a new version is released. We cannot suppress the prompt from appearing even though we do not require this update in our environment. Therefore, when presented with the dialog box below…
Servoy works fine with the java-update. But the final security warning is still there. Who is going to solve this one? Servoy or Oracle? We cannot ship our software (including officially signed jars) as long as this security warning keeps popping up.
as far as i know we can’t fix it it is a oracle bug, we can’t do much about that as far as i can see for example this request https://bugs.openjdk.java.net/browse/JDK-8029194
is quite the same.
I made already bug reports at oracle but most of the time you will never hear anything back from that.
I did some research and it looks like they gonna fix this in Java 7 update 55
https://bugs.openjdk.java.net/browse/JDK-8032191
which point to:
https://bugs.openjdk.java.net/browse/JDK-8031579
Johan, could you confirm, that this is the same?
that looks to be the fix for this problem yes
i guess when they have bulid 5 out here: https://jdk7.java.net/download.html we could test it.
This isn’t fixed, eh? I just downloaded 7 update 60 from the jdk link, but it still fails with missing required Permissions manifest attribute…
I can confirm the same!! the yellow balloon is still shown in pre release of Java 7 update 60
When I look in case https://bugs.openjdk.java.net/browse/JDK-8031579 it
states fixed in version 8u5 Due : 2014-04-14…
Look at this case, which is connected (backported) https://bugs.openjdk.java.net/browse/JDK-8032191
it should be fixed in java 7 update 55
but it isn’t in Java 7 update 60
I even tried the latest Java 8 (pre-release) and the issue is the same there
Although Oracle isn’t very clear on the procedures they follow, it seem that fixes in security releases (x1 and x5 releases like update 55) aren’t ported over to feature releases (x0 like update 60) untill after the release of the security release
That would be the reason the fix is not yet in update 60.
Paul
Hi,
Java 7 update 55 is out.
New update : new security alerts / messages (Java webstart).
It’s now complaining about j2db.jar. See attachment.
Servoy 5.2.17.
No issues here, with Servoy 6.0.x and 7.3.1 and very happy, that the yellow balloon is now gone also!!
The only (minor) thing is that the name is now: j2db.jar and not our solution name set in the branding settings…
[attachment=0]Schermafbeelding 2014-04-17 om 23.00.10.png[/attachment]
@lwjwillemsen, I think the warning you see, is because you use vmargs in the servoy-admin page?
Here too everything works fine java 7 update 55 with Servoy application server v. 7.3.1 (version 7.4 is in preparation…)
The first time start up without the vm args, then ‘Harjo’s box’ appears, about the j2db.jar application. Check the box and you won’t see it again. Even when you copy paste the vm args back into the servoy admin (wich I did, just for the idea…).
I trust Servoy will tell Oracle to fix this namegiving, so may be one day in the (near?) future…
I tested a few more things, with the new (with GUI) signtester, you can sign just the j2db, .
I changed under preferences Appname from %%jarName%% to my own solutionName.
selected ONLY the j2db.jar and signed it again and this is the result!!:
[attachment=0]Schermafbeelding 2014-04-18 om 09.28.21.png[/attachment]
Bingo! Thanks Harjo.
Now the only thing left is making the checkbox appear without having removed the vmargs in de Servoy admin…