JIRA Screenshot Applet not working with Java 7u51?

I've updeted Java to the newest Version 7u51.

I would attach a Screenshot (JIRA 5.1.8) but get a SecutrityException: Missing rewuired Permissions manifest attribute in main jar: ... screenshot.jar.

Has anybody the same problem? Or a solution?

11 answers

1 accepted

10 votes
Andy Nguyen Atlassian Team Jan 15, 2014

Hi all,

From the New security requirements for RIAs in 7u51 (January 2014), you may notice that:

  • You are required to sign all RIAs (Applets and Web Start applications).
  • You are required to set the "Permissions" attribute within the Manifest.
  • Your application will be affected if it uses Java started through a web browser. Your application will not be affected if it runs anywhere outside of a web browser.

So basically this is what you need to do on your side in order to increase the security level required by the new version of Java. It's not a bug within JIRA, no matter which versions. This issue has only come out of Java 7u51, as stated in the software's release notes:

http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html

Usually, in order to reduce the complexity of the issue, we advise the customers to use Java 7u45. There's a workaround, though, if you would still like to use Java 7u51: by opening Java Control Panel -> Security tab and then applying either of the followings:

  • lower the Security Level bar Or
  • add your JIRA's base URL to Exception Site List (like Kaia said)

Other than that, you may consider applying the security requirements, and this is a good point to start with: JAR File Manifest Attributes for Security. Kindly contact Oracle for more details then.

Cheers,
Andy

David Currie Atlassian Team Jan 16, 2014

There is now a proper workaround to this, to fix it please install the new screenshot.jar on https://jira.atlassian.com/browse/JRA-35476, full instructions are in that bug report.

I've found a solution that works for me. Open «Configure Java» and choose Security. Choose «Edit Site List..» and add the jira address e.g «https://jira.finn.no».

If it's not clear where to find "Configure Java", on Windows, hit Windows button and then just type "Configure Java" -- it will pop up.

We're having the same thing with v6.0.3.

Same here, right after updating to Java 1.7.0_51. Apparently security has been improved: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html

Is something being done about this?

0 vote
Andy Nguyen Atlassian Team Jan 15, 2014

Hi all,

Java 7u51 does not fully support Java Applet that JIRA uses for attaching screenshots. My suggestion is to uninstall it and use Java 7u45 instead, which is a stable version that fully supports Applet. You may download the installation file here. Remember not to update Java if prompted to do so by your browser or even JIRA.

Cheers,

Andy

Remember not to update Java if prompted to do so by your browser or even JIRA.

This advice is absolutely terrible, bordering on negligent.

I understand that Atlassian has customers who need a quick fix, but the fact is that Java is so riddled with security holes that users are best advised to upgrade to new versions immediately when they are released. This Java release fixes 36 vulnerabilities, of which 34 are remotely exploitable.

The security problems with Java Applets are so bad that it no longer matters if updates break user applications. It is now incumbent on the organizations writing Java applets to: keep them up to date; expect their apps to break with every Java update; or abandon using Java applets entirely as soon as possible.

To sum up: If users downgrade to 7u45 while they are in the process of rolling out GPOs to add sites to the exception list, that is a bad option but possibly the only one. But telling people never to upgrade is breathtakingly irresponsible, given the current state of Java security.

P.S. I'm talking about Java Applets, not the Java language

Yew Teck En Atlassian Team Jan 17, 2014

Please kindly follow the workaround in the description of this bug ticket as suggested by Dave to replace the screenshot.jar: https://jira.atlassian.com/browse/JRA-35476

Hi Andy,

I realise that going back a version is an option but this isn't a permanent solution. On the java release notes page it states that we will be forced to upgrade on the 14th Feb. http://java.com/en/download/faq/release_changes.xmlWhen will atlassian release a fix for this?

This blog post back in September details the changes: https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

Thanks

Clarkie

Yew Teck En Atlassian Team Jan 17, 2014

Hi Clarkie, please kindly follow the workaround in the description of this bug ticket as suggested by Dave : https://jira.atlassian.com/browse/JRA-35476

Can I clarify something... was this a problem caused by Java being updated on the JIRA server - or was it updated on the PC that is accessing JIRA? I want to be absolutely certain that I understand the problem.

It's on the PC.

Oracle explains how to add sites to an exception list here:
https://blogs.oracle.com/java-platform-group/entry/upcoming_exception_site_list_in

If you can push that file out via GPO, you should be set.

0 vote
Ben Sayers Atlassian Team Jan 16, 2014

Hi all,

This issue is being tracked as JRA-35476. The fix will be released in Jira 6.1.7 and we have made the updated applet avaliable for customers who need a solution in the interum. Instrunctions on how to download and install this updated applet can be found in the description of JRA-35476.

For OnDemand customers the fix will be released in the next OnDemand update.

Cheers,
Ben

I can confirm it is happening just after installation of new JRE 7u51.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Wednesday in Jira

Join our webinar: How 1B+ feature flag events helped us build the new Jira

Every time you release software, there's a bit of risk – that there's a bug, that something breaks, or that the feature doesn't resonate with customers. Feature flagging helps make high stakes s...

117 views 0 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you