Java Rich Internet Applications Guide > Security > Security Dialogs
The following topics are covered:
Beginning with the 7u21 release, users are notified when a RIA is launched with a security prompt similar to the following screen shot.
Depending on the RIA, the security prompt shows the following information:
Name of the RIA, or notification that the application is unsigned.
The name that is shown is the value of the Application-Name attribute in the JAR file manifest. If the Application-Name attribute is not present, the value for the Main-Class attribute is used. If neither attribute is present in the manifest, no title is shown in the security prompts. Titles are not shown for unsigned RIAs. See Application-Name Attribute for information.
Warning when an out-of-date JRE is being used.
For enterprises that manage the update process of user's systems, the deployment property deployment.expiration.check.enabled can be set to suppress the warnings for out-of-date JREs. See Deployment Configuration File and Properties for information.
Information about the publisher.
If the application is self-signed or signed by an unknown authority, the publisher is shown as UNKNOWN.
Warnings about the certificate.
If the certificate is expired, revoked, or the server that tracks which certificates were revoked cannot be accessed, the prompt shows a warning. A warning is also shown if the certificate is not valid until a future date.
Location from which the application is accessed.
The value is either a URL for applications that are accessed from a website, or a directory for applications that are accessed from a local drive.
Level of access required by the application.
Limited access restricts the application to the security sandbox, unrestricted access provides the application with access to resources on the user's system.
Warning about missing JAR file manifest attributes.
JAR file manifest attributes are available to provide additional protection for an application. The warning indicates that the manifest is missing a recommended attribute. See JAR File Manifest Attributes for Security for information.
For unsigned or self-signed applications, a checkbox that the user must select before the Run button is enabled.
Option to not show the prompt again.
For signed RIAs, future prompts for this RIA and RIAs from the same location that are signed with the same certificate can be turned off. If the RIA is a sandbox application, then the prompt is turned off only for other sandbox applications that are signed with the same certificate. When shown, click Show Options to access the option to turn off the prompt.
Prompts that were previously hidden can be restored through a button on the Security tab of the Java Control Panel. See Restore Security Prompts for information.
For a description and examples of the security prompts, see "What should I do when I see a security prompt from Java?" on java.com.
The best experience for the user is when the RIA is restricted to the security sandbox and is signed with a current certificate from a trusted certificate authority. Clicking Run is all that is needed from the user to run the RIA.
As conditions become less secure, warning messages become stronger, and in some cases, more action is needed by the user, as described for the following situations:
If the RIA is signed with a certificate from a trusted certificate authority, but requires unrestricted access to the user's system, the prompt warns the users about the risk of running the RIA. Clicking Run starts the RIA.
If the RIA is signed with an expired certificate or the revocation status of the certificate cannot be checked, the prompt provides stronger warnings about the risk of running the RIA. The user must select the option to accept the risk, which enables the Run button, then click Run to run the RIA.
Additional warnings are shown in some cases, such as when sandbox code attempts to access privileged code, or a RIA attempts to access resources that it does not have permission to access. These warnings require additional responses from the user.
For guidelines on deploying your RIA, see Deployment Best Practices in the Java Tutorial. For information on how the deployment of RIAs is handled, see Rich Internet Application Deployment Process.
The Java Control Panel can be used to set options that are related to the security prompts. The Security tab provides an option to block Java content from running in a browser. The Security Level setting determines if the applet is automatically blocked and what level of prompting the user receives if the RIA is not blocked. See the Security section for the Java Control Panel for more information.
The Advanced tab provides options for managing RIAs:
Secure Execution Environment options provide control for allowing or prohibiting users from granting privileges. If the user is not allowed to grant privileges, the security prompt is not shown and the app or features of the app are blocked.
Mixed code security verification options provide control for showing or hiding prompts that warn of mixed code. If the prompts are hidden, some features might be blocked without any notice to the user.
See the Advanced section for the Java Control Panel for more information.
