Back

Topic

[KB685]JRE 7u51 – New Java security policy

Tags: 7u51, Applet, Java, JRE, Webvue

WebVue
11 years ago
By BL
Options
Print
Applies to:

WebVue for PcVue version 9.0, 9.0 SP1, 9.0 SP2, 10.0, 10.0 SP1 and 11.
Summary:

This article explains Oracle’s new security requirements for Rich Internet Applications and how to react to it for running the WebVue client.

The workaround described below has been validated with Java 7 Update 51 and Java 7 Update 60 beta.

Future PcVue versions will be supplied with a signed WebVue applet and therefore will match those security requirements. Please note that you will have to update your Java Runtime Environment (JRE) to Java 7 to run these future WebVue versions. An up-to-date JRE will also be provided to you on the coming installation media for deployment on WebVue client machines.
Solution:

With the JRE version 7u51 released on January, 14th 2014, Oracle has introduced a new security policy which restricts the execution of non-signed RIA (Rich Internet Applications) such as WebVue in a browser or Java Web Start context.

For more information please read the official note from Oracle:
https://blogs.oracle.com/java/post/new-security-requirements-for-rias-in-7u51-january-2014

If trying to execute a non-signed WebVue applet on a client machine with Java 7u51 or later installed, the following message is going to appear:

JRE 7u51 AppletBlockedMessage

(where “http://mywebvueserver” matches the WebVue server host).

For the already deployed versions of PcVue mentioned in the “Applies to” section, one of the following solution can be applied for enabling the execution of the WebVue applet.

Solution 1:

If access to legacy Java applets is not managed on domain-level, individual users of a WebVue applet may consider adding a site exception to the security settings of their Java Runtime Environment. This is a local setting and only applies to the computer used for client access to WebVue. The JRE configuration change described below needs to be done on each computer where the WebVue client is used. Making this modification does not require administrator privileges.

Go to “Control Panel > Java” and select the “Security” tab.

JRE 7u51 SecuritySettingDialog

  1. Please verify that the selected security level is “High” (or very high).
  2. Click “Manage Site List…”.
  3. Add a new location corresponding to the WebVue server host.
    The location is in the form of a Url, including http or https, and the host is either an IP address, a host or domain name.

JRE 7u51 SecuritySettingAddExceptionSiteDialog

For additional information please refer to:
https://www.java.com/en/download/help/exception_sitelist.html

Solution 2:

If you are a domain administrator and you have to manage one or multiple WebVue applications in your network you may consider using whitelisting of legacy Java applets by creating deployment rulesets for your domain.

This is the recommended method since it is in line with Oracle’s suggestions for permanently maintaining Java 6 applications and it allows you to decide which applications to execute and which not to in a fine-grained manner.

Solution 3:

You can prevent the client computers from updating to Java 7u51. This may be achieved by disabling automatic updates on the computers that are supposed to connect to the WebVue server or by just never installing any updates of the JRE manually.

Please note that this simple yet effective method is NOT recommended because it is not in line with holding installations up-to-date in terms of security.
However, for existing Intranet applications with no connection to the outside world this may possibly be considered as a temporary solution.

Created on: 17 Jan 2014 Last update: 13 May 2024