Browser drops security warning by loading Marvin applets.

ChemAxon 7c2d26e5cf

09-04-2010 16:29:02

Several users have reported this issue:


By loading Marvin applets, Java plugin throws the following warning:


 


Java has discovered application components that could indicate a security concern.


Name: JMSketchLaunch


Block potentially unsafe components from being run? (recomment)


This problem occurs only with Java Plugin 1.6.0_19.

ChemAxon 7c2d26e5cf

09-04-2010 16:43:05

It is a default behaviour of Java Plugin 1.6.0_19. It does not let to download unsecury content. See Java documentation about it:



Error : Java has discovered application components that could indicate a security concern.


This problem occurs if a resource file out of the jar is loaded by classloader: Class.getResourseAsStream(String).


Java blocks loading of the file until you submit the popup warning dialog. If you say "Yes", Java rejectst downloading of the file. If you say "No", Java accepts and download the file.


So when this warning dialog appears in Marvin applets, always choose No.


In Java Control Panel, you can modify the default setting of this verification.


Java Control Panel / Security / Mixed code (sandbox vs. trusted) security verification. Choose the


Enable - hide warning and run with protection


to accept these kind of files in all cases without displaying warning dialog.


We are working on to eliminate Class.getResourceAsStream in Marvin code to solve this problem.

ChemAxon 7c2d26e5cf

02-06-2010 22:06:45

We have already solved this issue in the latest release (5.3.3). Warning are eliminated.

User 08353716d8

26-01-2011 16:59:26

We are suddenly having thus problem in Win XP/7 after upgrading to MarvinSketch 5.4.0. I do not get the warning when viewing the demo here on the ChemAxon site. Any hints on what files need to be moved/changed to eliminate this popup? We're getting a lot of complaints from students/instructors about it ...

ChemAxon 7c2d26e5cf

27-01-2011 11:54:19

Are you sure that you use 5.4.0? Probably an old version of Marvin has stuck in the Java cache and Java loads this old version instead of the new one.


Please clear Java cache, restart browser and try loading applet again. See linking forum topic: How I can clear JRE cache


If the applet appears, you can check the version number of the running instance by opening the About MarvinSketch dialog from the Help menu.

User 08353716d8

27-01-2011 18:32:36

Tamas,


thanks for the reply. Yes, we are sure we are on 5.4.0. Clearing the Java and browser caches does not fix the problem. We're having other problems as well and wondering if they're not all inter-related.


Do you remember a little while back when we upgraded to 5.4 and had a problem with isotopes.data? Our temporary workaround was to hack Apache to serve up isotopes.data as an octet-stream. I think we're seeing the ramifications of that now - with some of the other problems, the Java console indicates an error - isotopes was not in an expected gzipped format. I'm wondering if isotopes.data is also the 'unsigned component' Java is yelling about.


Do you have any idea when a proper fix for that issue will be released? Last we had heard, you guys were looking into it.


 


thanks


Danny Holyfield

ChemAxon 7c2d26e5cf

28-01-2011 16:08:55

The isotopes.data issue has been discussed in this topic:


applet.getMol in MarvinSketch 5.4


We have already registered this issue in our bug tracking system. This task has been scheduled after next major release.

User 08353716d8

28-01-2011 16:16:16

Thanks for the update. We are in the process today of reverting to Marvin 5.3.8 on our production servers, please let us know when a version that is stable on Apache (with respect to isotopes.data) is released. I know you won't have an exact ETA, but can you give us a window in which that will probably be released?

ChemAxon 7c2d26e5cf

31-01-2011 15:37:46

Of course, we are going to notify you when this issue has been solved.


We can also provide a pre-release in test phase if you require it.

ChemAxon 7c2d26e5cf

04-08-2011 08:25:49

As I see, the problem has already been solved: applet.getMol in MarvinSketch

User 927d050641

13-09-2011 11:49:09

Thanks

User 8c948fd5ba

14-05-2013 14:50:02

So I'm getting this warning again as of 5.12.1 (see the screenshot (the application is listed as 'medit' as thats the id of the applet element).


Looking at previous threads it seems like this was solved via the codebase_lookup param.  However, even with this param present the warning still occurs.  I'm not seeing any difference in the content that is loaded based on the java logs - What information do I need to provide so you guys can attempt to diagnose this problem, or is this something that is known alreadY?

ChemAxon 2c555f5717

14-05-2013 15:35:59

Dear Chess!


   Haven't you updadet to Java 1.7.0_u21 recently? Did the warning appear after the update?


Regards:
Balázs

User 8c948fd5ba

14-05-2013 17:20:27

I'm running the latest java, which if I'm not mistaken is 1.7r21. The warning has always been present with 5.12.1 for me - granted I've only been working with it for the past ~4 weeks so I have no idea if a new java update is responsible or not.


I know that the end user can tweak their browser settings to avoid this warning, but I'd like to avoid that scenario if at all possible, as there shouldn't be a securty warning coming from any of this content.

ChemAxon 2c555f5717

15-05-2013 07:39:48

Dear Chess!


   The 21th update of Java 1.7 requires one more security flag to be set in your applet. We can do this by rebuilding the applet, and send the patched jars to you. I am going to contact the build team about this issue, and will send you the correct jars soon.


Regards:
Balázs 

ChemAxon 2c555f5717

15-05-2013 07:50:43

Our latest build (which is currently Marvin 5.12.4) contains this patch. Is it acceptable for you or do you need us to resign 5.12.1. It is possible to do, but 5.12.1 and 5.12.4 only different in bugfixes, it might be a better chosie to use.

User 8c948fd5ba

15-05-2013 14:12:31

It'd be much easier for us to stick with 5.12.1 as we're already relatively far along into verification/testing.  If we could get the 5.12.1 jars re-signed that would be fantastic.  


If you're looking to just email me the jars once they're resigned you can reach me at chess _at_ webassign.net

ChemAxon 2c555f5717

15-05-2013 20:28:13

Of courese we will resign them. I contact you as soon as the job is done.

User 8c948fd5ba

16-05-2013 13:29:11

Awesome, thanks so much!

02-10-2013 12:29:55

Hey Tamas, Thanks for the isotopes.data issue tip ;)