Results 1 to 16 of 16
Like Tree2Likes
  • 1 Post By jamiemilne
  • 1 Post By jim829

Thread: How do you block applications using JAVA SE Runtime client (not using control panel)

  1. #1
    jamiemilne is offline Member
    Join Date
    Jun 2016
    Posts
    4
    Rep Power
    0

    Default How do you block applications using JAVA SE Runtime client (not using control panel)

    Hi all
    I would like to know if its possible to stop all applications using a java client that is installed locally on the users machine. Apart from requests only coming from SAP business objects.

    Does anyone have any knowledge on the JAVA runtime client and whether an xml file can be created, that will catch all incoming requests to the java client and block all requests apart from a single request I can state.

    I am aware in the java control panel you can list site exceptions. But we have tried this and this is not good enough for us, as we want to stop the request (that could be an attack) before it even begins to start up java web starter.

    Any help gratefully appreciated
    Kind regards
    Jamie
    mmirbekian likes this.

  2. #2
    jim829 is offline Senior Member
    Join Date
    Jan 2013
    Location
    Northern Virginia, United States
    Posts
    6,226
    Rep Power
    14

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    I don't have an immediate answer but as is typical of questions like this, you have a problem and have already pre-supposed a solution which
    you are not certain how to do. Perhaps you should explain the real issue as there are probably some experts in this forum who could
    respond based on related experience.

    Regards,
    Jim
    mmirbekian likes this.
    The JavaTM Tutorials | SSCCE | Java Naming Conventions
    Poor planning on your part does not constitute an emergency on my part

  3. #3
    jamiemilne is offline Member
    Join Date
    Jun 2016
    Posts
    4
    Rep Power
    0

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Hi Jim
    OK, the problem is JAVA client is a security threat and our organisation wants it removed completely.

    But we have enterprise applications that require the java client to work.
    There was a security expo show on last week in London UK.
    And it was suggested that an xml file can manage what requests are allowed through to the java client.
    I have googled and seen this is possible with a java servlet, but our clients do not talk to a server. They are standalone java clients.

    So as the xml option is probably no good for us, is there a way to control what applications can access the java client.
    Many thanks
    Jamie

  4. #4
    Norm's Avatar
    Norm is offline Moderator
    Join Date
    Jun 2008
    Location
    Eastern Florida
    Posts
    20,003
    Rep Power
    33

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    How would another app access the java client you are worried about?
    If you don't understand my response, don't ignore it, ask a question.

  5. #5
    jamiemilne is offline Member
    Join Date
    Jun 2016
    Posts
    4
    Rep Power
    0

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Quote Originally Posted by Norm View Post
    How would another app access the java client you are worried about?
    Hi
    SAP Business Objects that runs in an IE11 web browser (it is a java based app that runs in the web browser) calls the java client on the windows 7 machine. The java control panel opens, and shows what java class libraries it is loading.

    Meanwhile in the browser the java icon appears and spins round.
    Then finally I get presented with a message saying application blocked by security settings in the browser.

    This is because the current version of the java client (V8 update 92) is way ahead of the business objects version 4.1 sp5.
    And as the business objects site security certificate is either self signed or out of date the java client stops business objects from loading any further. Even if I upgrade business objects to the very latest version, SAP themselves have said they do not support the latest java client (It is a problem I have with many other enterprise applications at our site.)

    Our only option is to downgrade to a lesser version of Java client, typically V7 update 55 for example.
    However V7 is a high security risk (we get audited annually by an external security company, and our out of date java clients is a big issue for them)

    So I am in between a rock and a hard place. Either get all users to run the latest java clients, satisfying our security compliance policy, but none of the users can write reports anymore in business objects and I get grilled for that.

    Or I leave the java client at V7 update 55 and upset the directors as we do not get a certificate saying we are compliant, which again I get grilled for!

    So It has been suggested to me that we can use a .xml file to 'validate' what applications are trying to access the java client. Thereby keeping our out of date java client (V7 update 55) and stopping hackers getting into the java client and using the class libraries to bring our site to a grinding halt. This would go into our mitigation submission to our security auditors and this would satisfy them.

    So I am know looking at Java servlets, to see if there is a servlet that can authenticate what application is trying to use the java client before it starts to load.

    Apologies if none of this makes sense, I am new to the forum, not sure where to post it, if this is even possible, etc...
    Thanks
    Jamie

  6. #6
    jim829 is offline Senior Member
    Join Date
    Jan 2013
    Location
    Northern Virginia, United States
    Posts
    6,226
    Rep Power
    14

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Would a properly configured Java Security Manager help with this? I know it can control who can access various
    classes, files, and other resources. The main drawback is that it can affect performance.

    Regards,
    Jim
    The JavaTM Tutorials | SSCCE | Java Naming Conventions
    Poor planning on your part does not constitute an emergency on my part

  7. #7
    Norm's Avatar
    Norm is offline Moderator
    Join Date
    Jun 2008
    Location
    Eastern Florida
    Posts
    20,003
    Rep Power
    33

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    what application is trying to use the java client
    Can you explain how an application uses the java client?
    How is the java client coded? Your description sounds like it is an applet. If it is not an applet, how does a browser get involved?
    If you don't understand my response, don't ignore it, ask a question.

  8. #8
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    13,541
    Rep Power
    27

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Surely this is SAPs problem?
    They're the one's using insecure outdated technology, after all.

    I'm also not sure how a servlet would help in this.
    What do you expect a call to a URL is going to achieve? Surely if that was doable that would be a massive security hole for Java?
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  9. #9
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    13,541
    Rep Power
    27

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Out of curiosity, what SAP product is causing the issue?
    Is it an out of date one?
    Is there a newer one that solves this issue, possibly via web services rather than some Java applet?
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  10. #10
    jamiemilne is offline Member
    Join Date
    Jun 2016
    Posts
    4
    Rep Power
    0

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Hi
    I will look at java security manager

    Yes it is an applet which calls JRE in the web browser.

    I thought a servlet could link to all the java clients and control when the java client gets inittated from the browser. Stupid I know, because I write this I realise how idiotic that sounds.

    Going to the latest version in SAP is a monster project as it needs a new server built with apache tomcat and setting up from scracth regarding creation of all our data connections to database servers. I am doing this, this year, but for now I wanted a quick and dirty way to block the JRE running apart from one application.

    I am thinking I should raise this issue with SAP and see if there is a way to get an old version of SAP to work with the latest java version.
    Then I will be security compliant and the latest Java will work with the outdated SAP version.

    Many thanks for all your help. It has been really useful sounding this out to you all.
    Jamie

  11. #11
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    13,541
    Rep Power
    27

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    The thing is I don't think it's SAP is it?
    Isn't it the security additions to Java 8?

    But yes, SAP would be my first port of call, however they may say that you should have been looking at upgrading.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  12. #12
    Norm's Avatar
    Norm is offline Moderator
    Join Date
    Jun 2008
    Location
    Eastern Florida
    Posts
    20,003
    Rep Power
    33

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    I'm still unable to picture where the problem is.
    How and where can an application access your system?

    Is this what you have:
    a client using a browser on his PC loads an html page from your server. The html page has an applet. The applet communicates with the server.

    What is the java client? Is it the applet?
    If you don't understand my response, don't ignore it, ask a question.

  13. #13
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    13,541
    Rep Power
    27

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    The problem is that the version of Business Objects they're using is an applet-based version.
    This won't work with Java 8 (according to SAP) and so would involve reverting to a version of 7, which incurs security audit issues.

    So Jamie is trying to see if there's a work around with 8 that would allow just this one thing through, since it also seems SAP haven't kept their certificates up to date (and possibly have no intention of doing so).

    To me, all this points to SAP and whether they will sort out a workaround or (quite likely) say that it's no longer supported.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  14. #14
    Norm's Avatar
    Norm is offline Moderator
    Join Date
    Jun 2008
    Location
    Eastern Florida
    Posts
    20,003
    Rep Power
    33

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    The light may have come on.
    Is the OP trying to restrict the usage of a JRE installed on a user's PC to only execute the OP's applet?
    If you don't understand my response, don't ignore it, ask a question.

  15. #15
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    13,541
    Rep Power
    27

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Sounds like it, though it's not their applet, it's one provided by SAP, which apparently isn't properly signed anyway.
    Please do not ask for code as refusal often offends.

    ** This space for rent **

  16. #16
    Norm's Avatar
    Norm is offline Moderator
    Join Date
    Jun 2008
    Location
    Eastern Florida
    Posts
    20,003
    Rep Power
    33

    Default Re: How do you block applications using JAVA SE Runtime client (not using control pan

    Along these lines then
    The problem is that the client does not want to have any version of a JRE on his PC because of the known security problems.
    However it would be really nice if there were a version of the JRE that would ONLY work with the SAP applet and no other applets.
    If you don't understand my response, don't ignore it, ask a question.

Similar Threads

  1. 7u45 Java Control Panel problems
    By Lewy in forum New To Java
    Replies: 5
    Last Post: 11-16-2013, 06:06 PM
  2. Replies: 4
    Last Post: 03-16-2012, 11:29 AM
  3. Can't open Java Control Panel, Can't unistall
    By RodC in forum New To Java
    Replies: 1
    Last Post: 03-05-2012, 04:12 PM
  4. Java Freezes in Control Panel
    By valpal1919 in forum New To Java
    Replies: 1
    Last Post: 04-19-2011, 12:04 PM
  5. Java Control Panel not saving changes when I press OK
    By RebelScum in forum New To Java
    Replies: 0
    Last Post: 03-21-2008, 04:22 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •