Kennis Blogs Trusted-Library fail

Trusted-Library fail

Since Java 7u21 Oracle introduced a new manifest attribute called Trusted-Library. One would use this attribute to handle mixed code [1] in Java applets or Java Webstart applications.

 

Now before you stop reading... I know applets aren't the greatest tech out there. As a matter of fact I encourage everyone to avoid using this tech whenever possible! But there are some niche cases where applets are still the only viable solution. For example if you're dealing with PKI smartcards in a webapp: there's no cross-platform/cross-browser solution other than Java applets for accessing smartcards in a webapp, at least for now.

Java 7u45 release

Back to the Trusted-Library attribute. As I said, it was introduced in 7u21. So once Oracle released this Java version we added the attribute to the manifest of our applet.

Everything was fine until Java 7u45 was released. This release raised the security baseline again (which I encourage by the way) and introduced a new set of manifest attributes. One being the Caller-Allowable-Codebase attribute. In the process Oracle broke the Trusted-Library attribute. Forcing developers to choose between adding the Trusted-Library or Caller-Allowable-Codebase attribute. The overal consensus in the Java community was to favor adding Caller-Allowable-Codebase. This way users of recent Java versions (7u45+) wouldn't be confronted with annoying security warnings.

On a side note: I've noticed people using a single wildcard (*) in Caller-Allowable-Codebase. You should avoid this whenever possible since the whole purpose of Caller-Allowable-Codebase is to be restrictive. Starting with 7u55, Oracle gives a security warning if Caller-Allowable-Codebase with a single wildcard/asterisk is used.

 

Java 7u60 release

Recently Oracle released Java 7u60. Apparently this release fixed the above bug introduced in 7u45. Developers are now required to add both Caller-Allowable-Codebase and Trusted-Library (again) if they're using mixed code in their applet. So if you removed Trusted-Library before, you might wanna add it back. Unfortunately the 7u60 release notes don't mention this change at all...

I hope this post gives you some insight into the use of Trusted-Library with different Java versions.

[1] Mixed code refers to using both signed and unsigned Java code in an applet. I think this is a bad practice and should be avoided, you should sign all your applet code. But mixed code also counts to using Javascript alongside an applet with LiveConnect. The latter is a more common use case in my opinion.