Looking for advice about security improvements in 7u21

Ludwig, Mark ludwig.mark at siemens.com
Tue May 21 09:10:17 PDT 2013


We have deliver several commercial Java applets to customers that use JavaScript for certain interactions.  The security improvement in 7u21 that issues a dialog for such mixed-mode invocations has caught us in a hard spot, and I am looking for advice.

We are focusing on using "Trusted-Library: true" manifest entry for our applets, but through some experimentation and reading the available documentation, it is not clear to me what the practical options are.

Specifically, we have been using log4j.  We will not sign it, because it is not ours.  (It's not entirely clear if legally we even may sign it.)  We want log4j to be able to write a log file on the local disk, which obviously requires elevated privileges.

As you might imagine, prior to this update, we simply invoked it under the umbrella of privileges we acquired in our code.  Now, I am not sure this will work - and more importantly - whether it should work or whether we should even be thinking about using it in this sort of way.  Put another way, I believe the intention of this security update is to require all code that uses elevated privileges to be in a signed jar file.

I would appreciate advice and clarification about this.  If there is more documentation available somewhere in OpenJDK.Java.net, please point me to it.  (I am fairly certain that I have exhausted everything on this topic at Oracle.com.)

Mark Ludwig

More information about the jdk7u-dev mailing list