Search code examples
javasecurityinternet-explorerapplet

Internet Explorer and Java security

I want to know if applets simply won't run anymore in IE.

I've searched quite a bit but the answer seems to keep changing based on versions and when this question is asked. So I'm looking for a simple authoritative answer.

Here's my setup:

  • Running IE 11 on Windows 7
  • Java 1.8.0_60 is configured as the Java runtime environment
  • No other Java versions are installed
  • "Enable Java content in browser" is checked
  • Java security setting is "high"
  • Site (local file for now) is specified in the Java security exception site list

I realize Java will no longer work in Chrome but is it still possible or not (using recent versions above) in IE as of today?

UPDATE:

I've added the security requirements to the manifest and I've self-signed the jar file but something still isn't quite right as the applet doesn't display its output.

Here's the manifest as it exists in the jar file:

Manifest-Version: 1.0
Application-Name: test
Permissions: all-permissions
Caller-Allowable-Codebase: *
Codebase: *
Application-Library-Allowable-Codebase: *
Build-Jdk: 1.8.0_60
Created-By: 1.8.0_45 (Oracle Corporation)

Name: HelloApplet.class
SHA-256-Digest: wkK+EUOV7eaecddcrIwBnjeZ+95GyyuK7OiVXR4XJ+4=

And here's the applet code:

import java.applet.Applet;
import java.awt.Graphics;

public class HelloApplet extends Applet {
    public void paint(Graphics g) {
        g.drawString("Hello world!", 50, 25);
    }
}

And here's the web page (UPDATED TO USE APPLET TAG)

<!DOCTYPE html>
<html>
<body>
    <applet code = 'HelloApplet' 
        archive = 'HelloApplet.jar'
        width = 300
        height = 300>
        <param name="permissions" value="all-permissions" />
    </applet>
</body>
</html>

Is there anything wrong here?

Solution

  • Applets are still working in IE. But from 7u51 Java version, there have been new security requirements for the MANIFEST.MF file.

    https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

    In short, you need at least to define Permissions, Codebase attributes.

    Code snipped from my applet (META-INF/MANIFEST.MF in jar file):

    Manifest-Version: 1.0
Application-Library-Allowable-Codebase: *
Application-Name: app-name
Build-Jdk: 1.7.0_79
Permissions: all-permissions
Caller-Allowable-Codebase: *
Codebase: *

    Addition requirements depend on access permissions type the applet requires (all-permissions or sandbox).

    More info: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html