When trying to access any web page that sends a print command to the client printer using the Printing Applet Solution, a security warning dialog appears depending on the Java version installed on the client machine:
If you want to avoid the warning dialog shown above, you need the "printingappletsigned.jar" file corresponding to GeneXus X Evolution 2 upgrade 4. This solution doesn't work for Java versions previous to 1.7.0_45, due to Java restrictions.
In previous versions, the following warning messages can be thrown:
- "Block Potentially unsafe components from being run?"
- "Java has discovered application components that could indicate security concern."
Solution
As mentioned before, to avoid this warning dialog you need the printingappletsigned.jar file corresponding to GeneXus X Evolution 2 upgrade 4.
Explanation
With the update to Java 1.7.0_45, a new manifest attribute (Caller-Allowable-Codebase) was introduced to control the behavior of JavaScript to Java calls. This attribute specifies the codebase/locations from which JavaScript is allowed to call Applet classes. If the new attribute is not set, the security warning "Allow access to the following application from this website?" is displayed. To prevent this, we have set this attribute and entered "*" in the manifest file. See SAC 35061.
A new security warning was introduced in this version.
The user should "Allow access" to the website, and check: "Do not show this again for this app and website".
If you want to prevent this warning from being displayed, you can do the following:
- Open the printingapplet.jar(1) located in the gxjava or gxnet directory of the GeneXus installation. This jar is not signed, and it should be so as to execute the applet and not be blocked by the browser.
- Edit the MANIFEST.MF (under printingapplet.jar\META-INF) and change the entry Caller-Allowable-Codebase to your domain(s).
Eg: Caller-Allowable-Codebase: host.example.com 127.0.0.1
See Caller-Allowable-Codebase Attribute for details.
- As mentioned before, the printingapplet.jar is not signed, and it should be. So, after getting a certificate, you need to sign the jar and run the following in a command line:
jarsigner.exe" -keystore MyCompany.keystore -storepass "Mypass" -signedjar printingappletsigned.jar printingapplet.jar
See Signing jar files
Make sure you use the signed "printingappletsigned.jar" file at runtime - copy it to the web application directory. Take into account that there is a java cache in the clients, so it should be cleared in some cases. See this link for further information.
Note (1): The unsigned printingapplet.jar is distributed as from GeneXus X Evolution 3 upgrade 4. You can request this file from Technical support.
Consideration: this solution is already implemented by GeneXus JAR Signer application.
With the release of the Java updates 1.7.0_55 and 1.8.0_05, a security warning is displayed even if the "Caller-Allowable-Codebase" is set to "*" in the manifest file.
So, you have to set this attribute (Caller-Allowable-Codebase) to the domain that hosts the application.
See here for the Oracle documentation about the topic.
If the application is executed from a different domain than the domain specified in the "printingappletsigned.jar", the following error can be seen in the javascript console of the browser:
- Liveconnect call for Applet ID * is not allowed in this JVM instance
- Uncaught Error: Error calling method on NPObject
See Java™ SE Development Kit 7, Update 55 RN.