Java 1.6 Update 19 "Warning - Security" dialog dis...

WesTucker · ‎Apr 05, 2010

The Java 1.6 Update 19 released on April 1st has a new security Warning
that is being triggered by Windchill applets in 9.1. The default of
"Yes" prevents the applets from working correctly.

We haven't finished tested yet, but clicking "No" on the dialog seems to
be a "one time only per applet" workaround. ("Just Say No") There is
also a java client setting to reduce the overall security level (see
link below).

The "Warning - Security" dialog says:
"Java has discovered application components that could indicate a
concern."
"The applet contains both signed and unsigned code."
"Block potentially unsafe components from being run? (recommended)"

It wasn't obvious to users that "Yes" means "Don't run the application"
and "No" means "Run the application (with some restrictions)".

One reported error that happens if you click "Yes" was a dialog from IE
8 titled "Message from Webpage" that said: "ATTENTION: An error occured
while uploading the file. Please contact your administrator. Error:
[object Error]"

We've seen two file attachment applets on the warning dialog:
fileSelectionAndUploadAppletApplet, and
dragAndDropFileSelectionAppletApplet when creating documents and
updating Change Notice attachments.

I have an SPR 1969357 for the issue with a severity of high and tech
support told me it will be fixed in 9.1 m060.

Here is a great, um.. "Oracle", Java page "Mixing Signed and Unsigned
Code" that describes the dialog and options for users and developers.

jessh · ‎Apr 05, 2010

>
SPR #1969357 was filed on this issue. It has addressed (via addition of
the "trusted library" manifest entry) in R9.1 M060 and X-20.

--
Jess Holle
> The Java 1.6 Update 19 released on April 1st has a new security
> Warning that is being triggered by Windchill applets in 9.1. The
> default of "Yes" prevents the applets from working correctly.
> We haven't finished tested yet, but clicking "No" on the dialog seems
> to be a "one time only per applet" workaround. ("Just Say No") There
> is also a java client setting to reduce the overall security level
> (see link below).
> The "Warning - Security" dialog says:
> "Java has discovered application components that could indicate a
> concern."
> "The applet contains both signed and unsigned code."
> "Block potentially unsafe components from being run? (recommended)"
> It wasn't obvious to users that "Yes" means "Don't run the
> application" and "No" means "Run the application (with some
> restrictions)".
> One reported error that happens if you click "Yes" was a dialog from
> IE 8 titled "Message from Webpage" that said: "ATTENTION: An error
> occured while uploading the file. Please contact your administrator.
> Error: [object Error]"
> We've seen two file attachment applets on the warning dialog:
> fileSelectionAndUploadAppletApplet, and
> dragAndDropFileSelectionAppletApplet when creating documents and
> updating Change Notice attachments.
> I have an SPR 1969357 for the issue with a severity of high and tech
> support told me it will be fixed in 9.1 m060.
> Here is a great, um.. "Oracle", Java page "Mixing Signed and Unsigned
> Code" that describes the dialog and options for users and developers.
>

jessh · ‎Apr 05, 2010

I should have said that it was in the process of being addressed. We
have 2 jars that still need to be modified yet -- at least last I knew.

--
Jess Holle
> SPR #1969357 was filed on this issue. It has addressed (via addition
> of the "trusted library" manifest entry) in R9.1 M060 and X-20.
>
> --
> Jess Holle
>> The Java 1.6 Update 19 released on April 1st has a new security
>> Warning that is being triggered by Windchill applets in 9.1. The
>> default of "Yes" prevents the applets from working correctly.
>> We haven't finished tested yet, but clicking "No" on the dialog seems
>> to be a "one time only per applet" workaround. ("Just Say No") There
>> is also a java client setting to reduce the overall security level
>> (see link below).
>> The "Warning - Security" dialog says:
>> "Java has discovered application components that could indicate a
>> concern."
>> "The applet contains both signed and unsigned code."
>> "Block potentially unsafe components from being run? (recommended)"
>> It wasn't obvious to users that "Yes" means "Don't run the
>> application" and "No" means "Run the application (with some
>> restrictions)".
>> One reported error that happens if you click "Yes" was a dialog from
>> IE 8 titled "Message from Webpage" that said: "ATTENTION: An error
>> occured while uploading the file. Please contact your administrator.
>> Error: [object Error]"
>> We've seen two file attachment applets on the warning dialog:
>> fileSelectionAndUploadAppletApplet, and
>> dragAndDropFileSelectionAppletApplet when creating documents and
>> updating Change Notice attachments.
>> I have an SPR 1969357 for the issue with a severity of high and tech
>> support told me it will be fixed in 9.1 m060.
>> Here is a great, um.. "Oracle", Java page "Mixing Signed and Unsigned
>> Code" that describes the dialog and options for users and developers.
>>

mdebower · ‎Apr 05, 2010

This also affects Windchill 9.0 m060, to avoid the error we rolled back to Java 1.6.0_18 which doesn't exhibit the problem.

-marc

RandyJones · ‎Apr 05, 2010

On 04/05/10 11:00, Jess Holle wrote:
>>
> SPR #1969357 was filed on this issue. It has addressed (via addition of
> the "trusted library" manifest entry) in R9.1 M060 and X-20.
>
> --
> Jess Holle

What about a patch for previous builds of 9.1?

--
------------------------------------------------------------------------
Randy Jones
Systems Administrator
Great Plains Mfg., Inc.
1525 E North St
PO Box 5060
Salina, KS USA 67401
email: -
Phone: 785-823-3276
Fax: 785-667-2695
------------------------------------------------------------------------

jessh · ‎Apr 05, 2010

On 4/5/2010 11:39 AM, Randy Jones wrote:
> On 04/05/10 11:00, Jess Holle wrote:
>>>
>> SPR #1969357 was filed on this issue. It has addressed (via addition of
>> the "trusted library" manifest entry) in R9.1 M060 and X-20.
>>
>> --
>> Jess Holle
>
> What about a patch for previous builds of 9.1?
None has been requested to date. Such a patch would be similar in
nature and scope to the patch to eliminate expired certificate warnings.

--
Jess Holle

saumyaprasad · ‎Apr 06, 2010

Wes,

I would like to know the exact error that occurs by turning on the Java Control panet verbosity and debugging on what kind of excepetion occurs. JRE version also introduces lot of restriction based on Java security or policy changes.

Please let me know which datecode of Windchill are you working on?

Do you have replica site in your infrastructure where with JRE updatecausing the problems?

-Thanks,

Saumya

Steris Corporation.

WesTucker · ‎Apr 06, 2010

Hey Saumya, it is easily duplicated with any 9.1.. and according to
other posts with 9.0 also... by updating to 1.6 Update 19. We are on 9.1
m010 but it isn't specific to this version of Windchill.

The link to the Oracle/Sun java site explaining the new warning, how it
is triggered, and the options for developers should give you enough to
follow up on it.

Where you having a specific problem trying to see the issue on your
systems?

-=wes

MichaelMarshall · ‎Apr 26, 2010

Just hit a machine that has Update 20 on it - produces the same error as Update 19.

WesTucker · ‎May 28, 2010

FYI for anyone else waiting on this ...

PTC released a patch for the Java "Mixed Mode" security warnings for 9.1
m030-m050 then pulled it back.

This Wednesday May 26th the TAN had a link to download the patch for 9.1
m030-m050 (but not 9.1 F000-M020 nor 9.0). The link wasn't on the TAN
this morning.

PTC Tech support said the patch didn't fixed the problem 100%. Seems
they missed some applets that also needed to be fixed so they will be
adding to the patch.

TAN:

patrick.chin1 · ‎May 31, 2010

I was told by PTC just to use Java 1.6 Update 18 which means you have to manually disable the option to automatically update Java on the client.

jessh · ‎May 31, 2010

That's an interim approach.

Another is to disable the security warning in the plug-in settings as
per

jessh · ‎May 31, 2010

I should also note that disabling the security warning will not address
the other big issue that Java 6 Update 19 poses -- it breaks all
drag-and-drop in applets. Resolving this requires a code change (or
editing one's java.policy file).

Java 1.6 Update 19 "Warning - Security" dialog disables 9.1 applets or triggers errors

Java 1.6 Update 19 "Warning - Security" dialog disables 9.1 applets or triggers errors