Difference between revisions of "JASigning Platform Issues"
John.Glauert (talk | contribs) |
John.Glauert (talk | contribs) (More security notes. Changed http to https.) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
== CWA Signing Avatars == | == CWA Signing Avatars == | ||
− | The core CWA Signing Avatars software is implemented in HTML5 using | + | The core [[CWA Signing Avatars]] software is implemented in JavaScript for HTML5 web pages using WebGL. It functions on most platforms. See [[CWASA Platform Issues]] for details. |
= Legacy Software : Java = | = Legacy Software : Java = | ||
+ | |||
+ | A Java Runtime Environment (JRE) must be installed. In the Security settings of the Java Control Panel you may need to add https://vhg.cmp.uea.ac.uk to the Exception Site List. | ||
== Java Web Start == | == Java Web Start == | ||
− | JASigning applications and applets are launched using [ | + | JASigning applications and applets are launched using [https://en.wikipedia.org/wiki/Java_Web_Start Java Web Start] through Java Network Launching Protocol (JNLP) files, which have extension <code>.jnlp</code>. Web pages using the more recent JASigning implementation for HTML5 using JavaScript and WebGL is not dependent on JNLP. |
The use of JNLP files for applets is deprecated in modern browsers. Where it is supported, it is fairly seamless, but changes to the Java security regime mean that some messages will be seen for the latest release of JASigning with older Java versions. | The use of JNLP files for applets is deprecated in modern browsers. Where it is supported, it is fairly seamless, but changes to the Java security regime mean that some messages will be seen for the latest release of JASigning with older Java versions. | ||
Line 19: | Line 21: | ||
== Code Signing == | == Code Signing == | ||
− | JASigning components are digitally signed using a Code Signing Certificate issues by [ | + | JASigning components are digitally signed using a Code Signing Certificate issues by [https://www.globalsign.com/code-signing/ GlobalSign] to [https://www.uea.ac.uk/business/consultancy UEA Consulting Ltd]. Before 2014, certificates were issued to [http://www.sys-consulting.co.uk/ SYS Consulting Limited]. When installing applications or applets, users will be asked to confirm that they trust the publisher. Users can choose to trust the publisher permanently to avoid future confirmation requests. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | The certificates have a limited lifetime and have now expired. Unfortunately, it is therefore necessary to ignore security warnings to use the software. Components can still be used if https://vhg.cmp.uea.ac.uk is added to the Exception Site List via the Security tab on the Java control panel. | |
== Legacy Standalone Applications : Java == | == Legacy Standalone Applications : Java == | ||
The security constraints on running Java-based applications mean that the [[CWA Signing Avatars]] applications are strongly preferred. At present, however, some functionality is only available in the Java software. | The security constraints on running Java-based applications mean that the [[CWA Signing Avatars]] applications are strongly preferred. At present, however, some functionality is only available in the Java software. | ||
− | Java-based applications for the [ | + | Java-based applications for the [https://vhg.cmp.uea.ac.uk/tech/jas/std/ current version of JASigning] are intended to run on Windows (XP, Vista, 7, 10) and on the latest releases of OS X 10.5 and later. Java-based JASigning apps are ''not'' supported on Linux. It is preferable to run JASigning with an up-to-date Java 8 run-time (JRE), although it should run with Java 7 and later versions of Java 6. |
On the supported platforms, that is, Windows and OS X, JASigning supports both 32-bit and 64-bit operation. Which of this modes it actually runs in on any given occasion depends on several factors: | On the supported platforms, that is, Windows and OS X, JASigning supports both 32-bit and 64-bit operation. Which of this modes it actually runs in on any given occasion depends on several factors: | ||
Line 64: | Line 51: | ||
a web browser. | a web browser. | ||
− | There is a 32-bit ([ | + | There is a 32-bit ([https://www.microsoft.com/en-us/download/details.aspx?id=5555 x86]) and a 64-bit ([https://www.microsoft.com/en-us/download/details.aspx?id=14632 x64]) |
version of the Redistributable package. | version of the Redistributable package. | ||
One or both of these should be installed, to match the system's | One or both of these should be installed, to match the system's | ||
Line 76: | Line 63: | ||
As documented in [[JASigning Release Notes]], on OS X 10.6 Snow Leopard and later some rendering artefacts can appear with the freestanding SiGML URL Player and SiGML Service Player. | As documented in [[JASigning Release Notes]], on OS X 10.6 Snow Leopard and later some rendering artefacts can appear with the freestanding SiGML URL Player and SiGML Service Player. | ||
+ | |||
+ | == Legacy Web Applications : Java Applets == | ||
+ | Support for Java Applets is now minimal and the HTML5 approach should be used wherever possible. | ||
+ | |||
+ | JASigning applets may work with browsers other than those mentioned below, but our testing in such cases is at best limited. Let us know! | ||
+ | |||
+ | ==== Windows ==== | ||
+ | JASigning web applets should work with '''Internet Explorer'''. The 32-bit (x86) release of Java should be installed. | ||
+ | |||
+ | ==== OS X ==== | ||
+ | JASigning web applets should work with '''Safari'''. | ||
+ | |||
+ | '''Safari''' will block applets by default but clicking on the avatar display area will allow the applet plug-in to be enabled. '''Safari 7''' and later impose a ''safe'' mode which blocks access to the local disk even though requested by the Java security settings. JASigning will operate in safe mode but will operate more slowly and will not work so well offline as a local cache will be disabled. The Safari Security preferences can be used to disable safe mode for JASigning applets, allowing the local cache to be used. | ||
+ | |||
+ | If GateKeeper is active, launching of applications will be blocked. See the Platforms section above. Even if GateKeeper is disabled: Safari does not consider Java Web Start to be safe so JNLP files may be downloaded to a temporary area and can only be launched by clicking on the icon for the downloaded file in the Downloads window; JNLP files for applications can be downloaded and launched from '''Chrome''' but a warning suggests that JNLP files can be harmful. | ||
---- | ---- | ||
[[Main Page]] >> [[JASigning]] | [[Main Page]] >> [[JASigning]] |
Latest revision as of 15:09, 29 April 2024
Core Software : JavaScript
CWA Signing Avatars
The core CWA Signing Avatars software is implemented in JavaScript for HTML5 web pages using WebGL. It functions on most platforms. See CWASA Platform Issues for details.
Legacy Software : Java
A Java Runtime Environment (JRE) must be installed. In the Security settings of the Java Control Panel you may need to add https://vhg.cmp.uea.ac.uk to the Exception Site List.
Java Web Start
JASigning applications and applets are launched using Java Web Start through Java Network Launching Protocol (JNLP) files, which have extension .jnlp
. Web pages using the more recent JASigning implementation for HTML5 using JavaScript and WebGL is not dependent on JNLP.
The use of JNLP files for applets is deprecated in modern browsers. Where it is supported, it is fairly seamless, but changes to the Java security regime mean that some messages will be seen for the latest release of JASigning with older Java versions.
For applications, launching of Java Web Start is sometimes automatic, but sometimes requires further action. Apple makes it increasingly difficult to deploy components using JNLP so for recent versions of OS X it is necessary to override the default protection regime even though the components are correctly signed. See below for notes on using particular browsers.
Code Signing
JASigning components are digitally signed using a Code Signing Certificate issues by GlobalSign to UEA Consulting Ltd. Before 2014, certificates were issued to SYS Consulting Limited. When installing applications or applets, users will be asked to confirm that they trust the publisher. Users can choose to trust the publisher permanently to avoid future confirmation requests.
The certificates have a limited lifetime and have now expired. Unfortunately, it is therefore necessary to ignore security warnings to use the software. Components can still be used if https://vhg.cmp.uea.ac.uk is added to the Exception Site List via the Security tab on the Java control panel.
Legacy Standalone Applications : Java
The security constraints on running Java-based applications mean that the CWA Signing Avatars applications are strongly preferred. At present, however, some functionality is only available in the Java software.
Java-based applications for the current version of JASigning are intended to run on Windows (XP, Vista, 7, 10) and on the latest releases of OS X 10.5 and later. Java-based JASigning apps are not supported on Linux. It is preferable to run JASigning with an up-to-date Java 8 run-time (JRE), although it should run with Java 7 and later versions of Java 6.
On the supported platforms, that is, Windows and OS X, JASigning supports both 32-bit and 64-bit operation. Which of this modes it actually runs in on any given occasion depends on several factors:
- Whether or not the processor supports 64-bit operation.
- Whether or not the operating system supports 64-bit operation.
- Whether the system has a 32-bit or a 64-bit Java installation (or both) -- and what options are set in the Java Control Panel (Windows) or Java Preferences app (OS X).
- For a JASigning applet: whether the browser is running in 32-bit or 64-bit mode.
Windows
Home applications and applets (apart from the SiGML Service Client) on Windows may require the appropriate Microsoft Visual Studio C++ 2010 Redistributable Package to be installed on the system.
On many Windows systems the required Redistributable package will already have been installed. But if not, each JASigning application and applet will display a message at launch time giving the URLs from which the package can easily be downloaded and installed. These URLs can be copied from the Java console and pasted into a web browser.
There is a 32-bit (x86) and a 64-bit (x64) version of the Redistributable package. One or both of these should be installed, to match the system's JRE (Java Runtime Environment) installation(s).
OS X
Before installing and running JASigning applications, the corresponding JNLP file must be downloaded. The application is then launched using Java Web Start. The user will be warned that the application (its JNLP file) has been downloaded from the Internet. The user will also be asked to confirm that they trust the publisher.
Under the default settings for GateKeeper on OS X 10.7.5 Lion and onwards, JASigning applications are blocked from running because they do not come from the App Store or an identified developer. To run blocked applications it is necessary to locate the JNLP file, typically in the Downloads folder, and open it by double-clicking with the control-key down or by right-clicking and choosing Open. On some versions, GateKeeper can be disabled using the General tab of Security & Privacy in the System Preferences.
As documented in JASigning Release Notes, on OS X 10.6 Snow Leopard and later some rendering artefacts can appear with the freestanding SiGML URL Player and SiGML Service Player.
Legacy Web Applications : Java Applets
Support for Java Applets is now minimal and the HTML5 approach should be used wherever possible.
JASigning applets may work with browsers other than those mentioned below, but our testing in such cases is at best limited. Let us know!
Windows
JASigning web applets should work with Internet Explorer. The 32-bit (x86) release of Java should be installed.
OS X
JASigning web applets should work with Safari.
Safari will block applets by default but clicking on the avatar display area will allow the applet plug-in to be enabled. Safari 7 and later impose a safe mode which blocks access to the local disk even though requested by the Java security settings. JASigning will operate in safe mode but will operate more slowly and will not work so well offline as a local cache will be disabled. The Safari Security preferences can be used to disable safe mode for JASigning applets, allowing the local cache to be used.
If GateKeeper is active, launching of applications will be blocked. See the Platforms section above. Even if GateKeeper is disabled: Safari does not consider Java Web Start to be safe so JNLP files may be downloaded to a temporary area and can only be launched by clicking on the icon for the downloaded file in the Downloads window; JNLP files for applications can be downloaded and launched from Chrome but a warning suggests that JNLP files can be harmful.