As I've read before on pages like this:
https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets
Java is going to "strenghten" its security features by essentially block every applet except those "whitelisted" by the user (here they talk about some "ruleset.xml")
Today I went back to work after a week, and opening a pve console brought me to see this behaviour (see attachments, follow arrows)
1) before the java applet is loaded in firefox, a popup appears, with the ususl "this web site is not sure, please confirm connection", BUT
2) the popup contains a note about a future java security feature switch, it seems (sorry, it's in italian): basically the yellow zone says that
"in future this application will be blocked because the manifest file has no permission attribute. contact the author. blah blah"
3) a link in that yellow zone brings you to another popup which says that certificate is "not protected" (and reports i am downloading it from my server IP)
there, another "yellow zone" says basically the same as above:
"in future this application will be blocked because the manifest file has no permission attribute. contact the author. blah blah"
4) a link in the last popup lets me see details about that "not protected" certificate, and I see that has been issued by "PVE cluster manager CA": i guess it is MY cluster.
if I click "ok" enough I am brought to another popup (the second attachment) which asks me again the exact same thing...
Now, ok, I can live with confirmations (most times I use ssh to access VMs, not java console) BUT
- has the "ruleset.xml" file anything to do with this?
- should I alter the /usr/share/vncterm/VncViewer.jar, where the "manifest" file is contained, applying what oracle is suggesting (and in the future demanding, apparently), like
http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html ?
- will future updates replace the jar (and so the manifest file too) ?
- how should I manage this situation now, and in the future, when those new security features will be mandatory?
can anyone help me understand here?
Thanks,
Marco
https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets
Java is going to "strenghten" its security features by essentially block every applet except those "whitelisted" by the user (here they talk about some "ruleset.xml")
Today I went back to work after a week, and opening a pve console brought me to see this behaviour (see attachments, follow arrows)
1) before the java applet is loaded in firefox, a popup appears, with the ususl "this web site is not sure, please confirm connection", BUT
2) the popup contains a note about a future java security feature switch, it seems (sorry, it's in italian): basically the yellow zone says that
"in future this application will be blocked because the manifest file has no permission attribute. contact the author. blah blah"
3) a link in that yellow zone brings you to another popup which says that certificate is "not protected" (and reports i am downloading it from my server IP)
there, another "yellow zone" says basically the same as above:
"in future this application will be blocked because the manifest file has no permission attribute. contact the author. blah blah"
4) a link in the last popup lets me see details about that "not protected" certificate, and I see that has been issued by "PVE cluster manager CA": i guess it is MY cluster.
if I click "ok" enough I am brought to another popup (the second attachment) which asks me again the exact same thing...
Now, ok, I can live with confirmations (most times I use ssh to access VMs, not java console) BUT
- has the "ruleset.xml" file anything to do with this?
- should I alter the /usr/share/vncterm/VncViewer.jar, where the "manifest" file is contained, applying what oracle is suggesting (and in the future demanding, apparently), like
http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html ?
- will future updates replace the jar (and so the manifest file too) ?
- how should I manage this situation now, and in the future, when those new security features will be mandatory?
can anyone help me understand here?
Thanks,
Marco