Page 1 of 2

Struggling with Webstart and Java issues.

PostPosted: Wed Feb 05, 2014 10:22 am
by ehrenfeu
Dear all,

recently we get a lot of complaints by our users saying they are not able to run Insight any more on their machines (we are using Webstart to avoid out-of-sync client versions). We didn't do any recent changes to our OMERO server, currently we're one minor version late (making it 4.4.9).

First I thought this was only an issue with MacOS (as documented in [1]) but now also Windows people are unhappy. The error message states (see screenshot below) the application was blocked by security settings, which did not show up until a few days ago. I tried with a Windows machine running Java7, Update 45. Playing with the "Security" settings in Java's control panel, I managed to make it work again. However, that's a per-user setting, and I'd need to tell all my users how to find the Control Panel and what exactly to change there. Am I correct in assuming this is due to the fact that the webstart jars are provided via http instead of https or is this more the code signing stuff as well? I couldn't find where to adjust this, as our webclient is already running on https only and the OMERO config just contains an entry "webstart_host" but nothing about the protocol or port.

omero_ws_error_win.png
(1) Error / Windows
omero_ws_error_win.png (27.17 KiB) Viewed 7825 times


In addition, even when lowering the security level, there is still a Warning presented to the user about the application (attachment 2), but I guess this is about the previously mentioned signin issue?

omero_ws_warn_win.png
(2) Warning / Windows
omero_ws_warn_win.png (50.73 KiB) Viewed 7825 times


On Linux and MacOS, I am able to add an exception for this specific host only, while retaining the general security level on the default. This doesn't seem to be possible with Windows.

omero_jcpl_linux.png
(3) Exception / Linux
omero_jcpl_linux.png (25.5 KiB) Viewed 7825 times


Any help is greatly appreciated!
Thanks
~Niko

[1] http://www.openmicroscopy.org/site/supp ... -os-x-10.8

Re: Struggling with Webstart and Java issues.

PostPosted: Wed Feb 05, 2014 11:29 pm
by manics
Hi Niko

Recent versions of Java have defaulted to blocking unsigned applications. We're aware of the issue and are currently investigating the best way to fix this, most likely by providing a way for the jars to be code-signed. This should avoid users having to make any changes to their Java security settings. Note 4.4.10 also has this problem.

Sorry for the inconvenience

Simon

Re: Struggling with Webstart and Java issues.

PostPosted: Thu Feb 06, 2014 8:51 am
by ehrenfeu
Thanks, Simon!

Let me know if there is anything we can do to support you guys, as this is somewhat pressing to us (I get multiple calls per day from confused users about this topic).

Is there anything about changing the jnlp-delivery from http to https?

Cheers
Niko

Re: Struggling with Webstart and Java issues.

PostPosted: Thu Feb 06, 2014 11:30 am
by manics
Hi Niko

Changing to HTTPS shouldn't make a difference, I think the issue is purely down to the lack of code-signing. We're looking into signing jars as part of the build process, in the meantime there are two workarounds you could try:

  • Download a local client. No installation is necessary, your users can just unzip the archive and run Insight. 4.4.10 clients should be backwards compatible, though if you want you can still access the 4.4.9 clients.
  • Add a security exception. The latest Java (1.7.0_51) should have a place for adding exceptions, as you pointed out earlier versions may not.

Re: Struggling with Webstart and Java issues.

PostPosted: Thu Feb 20, 2014 1:18 pm
by ehrenfeu
Hi Simon,

just a late follow-up on this:

Downloading a local client is unfortunately not a real option for us as this requires to manually update all client installations after each OMERO upgrade. While this would in theory be possible on the Windows machines using our deployment mechanisms it is still a PITA on all the various MacOS ones floating around in our groups. And that's about 50% of our users, I'd say...

HTTPS would make a difference in adding the security exception as Java complains a lot when adding one for HTTP and asks for explicit confirmation by the user. Which again means it adds to the confusion for an average user who anyway often doesn't know when (and why) to accept security exceptions, broken/old/wrong certificates etc.

Cheers,
~Niko

Re: Struggling with Webstart and Java issues.

PostPosted: Thu Feb 20, 2014 5:35 pm
by manics
Hi Niko

Unfortunately we're having trouble in obtaining a code-signing certificate, I apologise for the continued delay. I'm not sure about the http/https problem, we'll get back to you later.

Best wishes

Simon

Re: Struggling with Webstart and Java issues.

PostPosted: Fri Feb 21, 2014 10:18 am
by atarkowska
Hi Niko,

I've just tested how java behave on http vs https host. It seems to be no difference for me.
In both cases in the end user must confirm to run the application, see screenshot.

Ola

Re: Struggling with Webstart and Java issues.

PostPosted: Mon Apr 07, 2014 2:55 pm
by ehrenfeu
Thanks Ola,

as you can see in the screenshot, the webstart binary is still delivered via HTTP and thus the exception in Java's security setting has to be created for HTTP also - and there it complains a lot.

Anyway, am I right in assuming from today's release notification this issue is fixed in 5.0.1? :)

Cheers
Niko

Re: Struggling with Webstart and Java issues.

PostPosted: Mon Apr 07, 2014 3:22 pm
by manics
Hi Niko

5.0.1 should definitely fix the code-signing issue. Note you'll still get a warning dialog asking "Do you want to run this application". I've tested this locally and I don't receive any warnings using http, could you try this out (after removing your security exceptions) and let me know whether it's working for you?

Thanks

Simon

Re: Struggling with Webstart and Java issues.

PostPosted: Mon Apr 07, 2014 9:13 pm
by ehrenfeu
Hi Simon,

I'll test it as soon as we're on OMERO 5 (and report).

Thanks
Niko