Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20204

Latest release of Java 7 blocks the connection to slaves due to no permissions attribute in the JAR file

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: core
    • Environment:
      All platforms where you can use at least Java web start to get a slave node connected, and Java 7 update 45 installed.
    • Similar Issues:

      Description

      Since I have installed Java 7 update 45 on our test slaves I get the following security warning:

      Running applications by UNKNOWN publishers will be blocked in a future release because it is potentially unsafe and a security risk.

      This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information.

      It looks like that the .jar file(s) do not contain a permissions attribute, which would let slaves connect to the master in the future. In our case we connect slaves via Java web start.

      As of now it is not a hard-blocker and you can click through and accept. But I think that this should be fixed soon.

        Attachments

          Issue Links

            Activity

            Hide
            derek_brown Derek Brown added a comment - - edited

            This problem manifests on Java 7 update 40 also. The application we are testing requires Java 7 update 40 or above. So we can't run our application and Jenkins on the same server. We are currently running Jenkins 1.509.1.

            Show
            derek_brown Derek Brown added a comment - - edited This problem manifests on Java 7 update 40 also. The application we are testing requires Java 7 update 40 or above. So we can't run our application and Jenkins on the same server. We are currently running Jenkins 1.509.1.
            Hide
            erichuang Eric Huang added a comment -

            Can we work around this problem somehow? Tried disabling verification for mixed code security as well as turning down the security level to medium but this issue still happens.

            We have a lot of machines so it would be quite annoying if we have to log on the machines to allow the app to run whenever we reboot the machines.

            Show
            erichuang Eric Huang added a comment - Can we work around this problem somehow? Tried disabling verification for mixed code security as well as turning down the security level to medium but this issue still happens. We have a lot of machines so it would be quite annoying if we have to log on the machines to allow the app to run whenever we reboot the machines.
            Hide
            tn2013 Theresa N added a comment -

            We have the same problem when starting the slave via java web start on Windows 7 with Java 7 Update 45, Jenkins 1.539.
            According to https://groups.google.com/d/msg/jenkinsci-users/dLr_1LRucGA/7W-nAnfenNAJ this can only be fixed by the one providing the jar and jnlp files.

            Show
            tn2013 Theresa N added a comment - We have the same problem when starting the slave via java web start on Windows 7 with Java 7 Update 45, Jenkins 1.539. According to https://groups.google.com/d/msg/jenkinsci-users/dLr_1LRucGA/7W-nAnfenNAJ this can only be fixed by the one providing the jar and jnlp files.
            Hide
            pfennig59 Kerstin Thaler added a comment -

            Before today's installation of Java RE 7 Update 51 we just clicked through and accepted, as well.
            But now you don't come this far anymore.
            Instead a message pops up saying (freely translated from German):
            "Name: hudson.remoting.Launcher
            Your security settings blocked the execution of a self-signed application"

            It is possible to add the jenkins host to a sitelist that will display the above security warning,
            but I think it's time to resolve this issue ASAP.

            Show
            pfennig59 Kerstin Thaler added a comment - Before today's installation of Java RE 7 Update 51 we just clicked through and accepted, as well. But now you don't come this far anymore. Instead a message pops up saying (freely translated from German): "Name: hudson.remoting.Launcher Your security settings blocked the execution of a self-signed application" It is possible to add the jenkins host to a sitelist that will display the above security warning, but I think it's time to resolve this issue ASAP.
            Hide
            illenseer illenseer added a comment -

            I think it's time to resolve this issue ASAP

            Me too. - This will/is cause/-ing serous trouble in automated environment.

            Show
            illenseer illenseer added a comment - I think it's time to resolve this issue ASAP Me too. - This will/is cause/-ing serous trouble in automated environment.
            Hide
            lucky_young Young Lucky added a comment -

            This is really a blocking issue to our automation system. Please fix it ASAP. Thanks!

            Show
            lucky_young Young Lucky added a comment - This is really a blocking issue to our automation system. Please fix it ASAP. Thanks!
            Hide
            markewaite Mark Waite added a comment -

            Isn't the simplest approach to switch from using JNLP to using a direct execution of "java -jar slave.jar" from the slave computer?

            That avoids the limitation and avoids executing as a "Rich Internet Application".

            Refer to https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias for more information on the change

            Show
            markewaite Mark Waite added a comment - Isn't the simplest approach to switch from using JNLP to using a direct execution of "java -jar slave.jar" from the slave computer? That avoids the limitation and avoids executing as a "Rich Internet Application". Refer to https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias for more information on the change
            Hide
            illenseer illenseer added a comment -

            Any news on this topic?
            It would be great to have the functionality of Windows DCOMP slaves back again! - Thanks.

            Show
            illenseer illenseer added a comment - Any news on this topic? It would be great to have the functionality of Windows DCOMP slaves back again! - Thanks.
            Hide
            whimboo Henrik Skupin added a comment -

            I talked with Kohsuke during the FOSDEM about 2 weeks ago, and he mentioned to me that he will have a look at it. So hopefully we will have a fix soon for that problem.

            Show
            whimboo Henrik Skupin added a comment - I talked with Kohsuke during the FOSDEM about 2 weeks ago, and he mentioned to me that he will have a look at it. So hopefully we will have a fix soon for that problem.
            Hide
            blotto888 Nick Newell added a comment -

            Mark W's suggestion is the best work-around for now.

            Show
            blotto888 Nick Newell added a comment - Mark W's suggestion is the best work-around for now.
            Hide
            cowwoc cowwoc added a comment -

            Mark,

            This is not an option on OSX, where scripts must run as a normal user (not over SSH) otherwise you lose the ability to run the iOS simulator. JNLP support is a must.

            Show
            cowwoc cowwoc added a comment - Mark, This is not an option on OSX, where scripts must run as a normal user (not over SSH) otherwise you lose the ability to run the iOS simulator. JNLP support is a must.
            Hide
            markewaite Mark Waite added a comment -

            As far as I can tell, Oracle decided that unsigned rich internet applications (RIA) should not be allowed. They displayed warnings to users in JDK 1.7.0_45, alerting that a future JRE would change the warning to an error.

            They changed the warning to an error in JDK 1.7.0_51.

            I'm not an expert on RIA security, but I'm sure Kohsuke and other Jenkins maintainers would be more than happy to receive pull requests to fix the issue.

            Show
            markewaite Mark Waite added a comment - As far as I can tell, Oracle decided that unsigned rich internet applications (RIA) should not be allowed. They displayed warnings to users in JDK 1.7.0_45, alerting that a future JRE would change the warning to an error. They changed the warning to an error in JDK 1.7.0_51. I'm not an expert on RIA security, but I'm sure Kohsuke and other Jenkins maintainers would be more than happy to receive pull requests to fix the issue.
            Hide
            cowwoc cowwoc added a comment -

            No pull request will do fix this. Jenkins needs a SSL certificate. Then you simply sign the JAR file with it and (I think) you're done.

            I believe that the only person who can do this is Kohsuke, since he owns the project.

            Show
            cowwoc cowwoc added a comment - No pull request will do fix this. Jenkins needs a SSL certificate. Then you simply sign the JAR file with it and (I think) you're done. I believe that the only person who can do this is Kohsuke, since he owns the project.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            pom.xml
            http://jenkins-ci.org/commit/remoting/07570271165133ef0b3a5b41134e4bcc59a6b410
            Log:
            [FIXED JENKINS-20204] Keep up with the new security requirements with Java7u51.

            Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/manifest.html
            Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/mixed_code.html

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/remoting/07570271165133ef0b3a5b41134e4bcc59a6b410 Log: [FIXED JENKINS-20204] Keep up with the new security requirements with Java7u51. Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/manifest.html Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/mixed_code.html
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            There were two issues here. One is the lack of the Permission attribute in the manifest, and the other is apparent change in the root CA certificate list in Java7, breaking the certificate chain to CA.

            Both are fixed in remoting 2.35.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - There were two issues here. One is the lack of the Permission attribute in the manifest, and the other is apparent change in the root CA certificate list in Java7, breaking the certificate chain to CA. Both are fixed in remoting 2.35.
            Hide
            whimboo Henrik Skupin added a comment -

            Wonderful news Kohsuke! Will this be backported to the latest 1.532.x LTS version?

            Show
            whimboo Henrik Skupin added a comment - Wonderful news Kohsuke! Will this be backported to the latest 1.532.x LTS version?
            Hide
            chrix Christophe Cornu added a comment -

            And in the future 1.557? I'm hitting this with the latest 1.556

            Show
            chrix Christophe Cornu added a comment - And in the future 1.557? I'm hitting this with the latest 1.556
            Hide
            chrix Christophe Cornu added a comment -

            A workaround is to use
            java -jar slave.jar -jnlpUrl http://yourserver:port/computer/slave-name/slave-agent.jnlp

            as indicated in https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds Launch slave agent headlessly

            Show
            chrix Christophe Cornu added a comment - A workaround is to use java -jar slave.jar -jnlpUrl http://yourserver:port/computer/slave-name/slave-agent.jnlp as indicated in https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds Launch slave agent headlessly
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            changelog.html
            pom.xml
            http://jenkins-ci.org/commit/jenkins/11458c956e64673d99a9dc2c05cfd5f9533b4e1b
            Log:
            [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html pom.xml http://jenkins-ci.org/commit/jenkins/11458c956e64673d99a9dc2c05cfd5f9533b4e1b Log: [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core.
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3267
            [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core. (Revision 11458c956e64673d99a9dc2c05cfd5f9533b4e1b)

            Result = SUCCESS
            kohsuke : 11458c956e64673d99a9dc2c05cfd5f9533b4e1b
            Files :

            • pom.xml
            • changelog.html
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3267 [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core. (Revision 11458c956e64673d99a9dc2c05cfd5f9533b4e1b) Result = SUCCESS kohsuke : 11458c956e64673d99a9dc2c05cfd5f9533b4e1b Files : pom.xml changelog.html
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            pom.xml
            http://jenkins-ci.org/commit/jenkins/a89aa713b2ba5c325cd296d5733a565aa5cc63ec
            Log:
            [JENKINS-20769 JENKINS-20204] Integrating remoting 2.36

            Fixed a bug Jesse found in remoting

            (cherry picked from commit 75447b57b655e38fdb48f1e854a4b287071342cf)

            Conflicts:
            pom.xml

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/jenkins/a89aa713b2ba5c325cd296d5733a565aa5cc63ec Log: [JENKINS-20769 JENKINS-20204] Integrating remoting 2.36 Fixed a bug Jesse found in remoting (cherry picked from commit 75447b57b655e38fdb48f1e854a4b287071342cf) Conflicts: pom.xml
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            @Kohsuke
            I still see the issue on remoting-2.36...

            java version "1.7.0_51"
            Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
            Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

            Manifest of the slave.jar

            Manifest-Version: 1.0
            Trusted-Library: true
            Application-Name: Jenkins Remoting Agent
            Build-Jdk: 1.7.0_07
            Built-By: kohsuke
            Permissions: all-permissions
            Created-By: Apache Maven
            Main-Class: hudson.remoting.Launcher
            Version: 2.36
            Codebase: *
            Archiver-Version: Plexus Archiver

            Name: org/kohsuke/args4j/MapSetter.class
            SHA-256-Digest: tyuIM4M9anur1hStvbgsYrs+g4WqVjGY0zgPEr1z4jw=

            Name: org/jenkinsci/constant_pool_scanner/ConstantPool$1$1.class
            SHA-256-Digest: UKGAapa919i1hiZJuSy1xx7dVEgonnjgqNxghQjWDMo=

            Name: hudson/remoting/DelegatingCallable.class
            SHA-256-Digest: 3eiABqJQGmXrLl5omnmV7YOVh/r7DAh21TQa9zqYntE=

            ...

            Show
            oleg_nenashev Oleg Nenashev added a comment - @Kohsuke I still see the issue on remoting-2.36... java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) Manifest of the slave.jar Manifest-Version: 1.0 Trusted-Library: true Application-Name: Jenkins Remoting Agent Build-Jdk: 1.7.0_07 Built-By: kohsuke Permissions: all-permissions Created-By: Apache Maven Main-Class: hudson.remoting.Launcher Version: 2.36 Codebase: * Archiver-Version: Plexus Archiver Name: org/kohsuke/args4j/MapSetter.class SHA-256-Digest: tyuIM4M9anur1hStvbgsYrs+g4WqVjGY0zgPEr1z4jw= Name: org/jenkinsci/constant_pool_scanner/ConstantPool$1$1.class SHA-256-Digest: UKGAapa919i1hiZJuSy1xx7dVEgonnjgqNxghQjWDMo= Name: hudson/remoting/DelegatingCallable.class SHA-256-Digest: 3eiABqJQGmXrLl5omnmV7YOVh/r7DAh21TQa9zqYntE= ...
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Hmm...
            My apologies, the previous error has been caused by improper Jenkins URL in global configs => JNLP used jar from another server

            Show
            oleg_nenashev Oleg Nenashev added a comment - Hmm... My apologies, the previous error has been caused by improper Jenkins URL in global configs => JNLP used jar from another server

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                whimboo Henrik Skupin
              • Votes:
                19 Vote for this issue
                Watchers:
                34 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: