Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-20204

Latest release of Java 7 blocks the connection to slaves due to no permissions attribute in the JAR file

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core
    • All platforms where you can use at least Java web start to get a slave node connected, and Java 7 update 45 installed.

      Since I have installed Java 7 update 45 on our test slaves I get the following security warning:

      Running applications by UNKNOWN publishers will be blocked in a future release because it is potentially unsafe and a security risk.

      This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more information.

      It looks like that the .jar file(s) do not contain a permissions attribute, which would let slaves connect to the master in the future. In our case we connect slaves via Java web start.

      As of now it is not a hard-blocker and you can click through and accept. But I think that this should be fixed soon.

          [JENKINS-20204] Latest release of Java 7 blocks the connection to slaves due to no permissions attribute in the JAR file

          Derek Brown added a comment - - edited

          This problem manifests on Java 7 update 40 also. The application we are testing requires Java 7 update 40 or above. So we can't run our application and Jenkins on the same server. We are currently running Jenkins 1.509.1.

          Derek Brown added a comment - - edited This problem manifests on Java 7 update 40 also. The application we are testing requires Java 7 update 40 or above. So we can't run our application and Jenkins on the same server. We are currently running Jenkins 1.509.1.

          Eric Huang added a comment -

          Can we work around this problem somehow? Tried disabling verification for mixed code security as well as turning down the security level to medium but this issue still happens.

          We have a lot of machines so it would be quite annoying if we have to log on the machines to allow the app to run whenever we reboot the machines.

          Eric Huang added a comment - Can we work around this problem somehow? Tried disabling verification for mixed code security as well as turning down the security level to medium but this issue still happens. We have a lot of machines so it would be quite annoying if we have to log on the machines to allow the app to run whenever we reboot the machines.

          Theresa N added a comment -

          We have the same problem when starting the slave via java web start on Windows 7 with Java 7 Update 45, Jenkins 1.539.
          According to https://groups.google.com/d/msg/jenkinsci-users/dLr_1LRucGA/7W-nAnfenNAJ this can only be fixed by the one providing the jar and jnlp files.

          Theresa N added a comment - We have the same problem when starting the slave via java web start on Windows 7 with Java 7 Update 45, Jenkins 1.539. According to https://groups.google.com/d/msg/jenkinsci-users/dLr_1LRucGA/7W-nAnfenNAJ this can only be fixed by the one providing the jar and jnlp files.

          Before today's installation of Java RE 7 Update 51 we just clicked through and accepted, as well.
          But now you don't come this far anymore.
          Instead a message pops up saying (freely translated from German):
          "Name: hudson.remoting.Launcher
          Your security settings blocked the execution of a self-signed application"

          It is possible to add the jenkins host to a sitelist that will display the above security warning,
          but I think it's time to resolve this issue ASAP.

          Kerstin Thaler added a comment - Before today's installation of Java RE 7 Update 51 we just clicked through and accepted, as well. But now you don't come this far anymore. Instead a message pops up saying (freely translated from German): "Name: hudson.remoting.Launcher Your security settings blocked the execution of a self-signed application" It is possible to add the jenkins host to a sitelist that will display the above security warning, but I think it's time to resolve this issue ASAP.

          illenseer added a comment -

          I think it's time to resolve this issue ASAP

          Me too. - This will/is cause/-ing serous trouble in automated environment.

          illenseer added a comment - I think it's time to resolve this issue ASAP Me too. - This will/is cause/-ing serous trouble in automated environment.

          Young Lucky added a comment -

          This is really a blocking issue to our automation system. Please fix it ASAP. Thanks!

          Young Lucky added a comment - This is really a blocking issue to our automation system. Please fix it ASAP. Thanks!

          Mark Waite added a comment -

          Isn't the simplest approach to switch from using JNLP to using a direct execution of "java -jar slave.jar" from the slave computer?

          That avoids the limitation and avoids executing as a "Rich Internet Application".

          Refer to https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias for more information on the change

          Mark Waite added a comment - Isn't the simplest approach to switch from using JNLP to using a direct execution of "java -jar slave.jar" from the slave computer? That avoids the limitation and avoids executing as a "Rich Internet Application". Refer to https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias for more information on the change

          illenseer added a comment -

          Any news on this topic?
          It would be great to have the functionality of Windows DCOMP slaves back again! - Thanks.

          illenseer added a comment - Any news on this topic? It would be great to have the functionality of Windows DCOMP slaves back again! - Thanks.

          Henrik Skupin added a comment -

          I talked with Kohsuke during the FOSDEM about 2 weeks ago, and he mentioned to me that he will have a look at it. So hopefully we will have a fix soon for that problem.

          Henrik Skupin added a comment - I talked with Kohsuke during the FOSDEM about 2 weeks ago, and he mentioned to me that he will have a look at it. So hopefully we will have a fix soon for that problem.

          Nick Newell added a comment -

          Mark W's suggestion is the best work-around for now.

          Nick Newell added a comment - Mark W's suggestion is the best work-around for now.

          cowwoc added a comment -

          Mark,

          This is not an option on OSX, where scripts must run as a normal user (not over SSH) otherwise you lose the ability to run the iOS simulator. JNLP support is a must.

          cowwoc added a comment - Mark, This is not an option on OSX, where scripts must run as a normal user (not over SSH) otherwise you lose the ability to run the iOS simulator. JNLP support is a must.

          Mark Waite added a comment -

          As far as I can tell, Oracle decided that unsigned rich internet applications (RIA) should not be allowed. They displayed warnings to users in JDK 1.7.0_45, alerting that a future JRE would change the warning to an error.

          They changed the warning to an error in JDK 1.7.0_51.

          I'm not an expert on RIA security, but I'm sure Kohsuke and other Jenkins maintainers would be more than happy to receive pull requests to fix the issue.

          Mark Waite added a comment - As far as I can tell, Oracle decided that unsigned rich internet applications (RIA) should not be allowed. They displayed warnings to users in JDK 1.7.0_45, alerting that a future JRE would change the warning to an error. They changed the warning to an error in JDK 1.7.0_51. I'm not an expert on RIA security, but I'm sure Kohsuke and other Jenkins maintainers would be more than happy to receive pull requests to fix the issue.

          cowwoc added a comment -

          No pull request will do fix this. Jenkins needs a SSL certificate. Then you simply sign the JAR file with it and (I think) you're done.

          I believe that the only person who can do this is Kohsuke, since he owns the project.

          cowwoc added a comment - No pull request will do fix this. Jenkins needs a SSL certificate. Then you simply sign the JAR file with it and (I think) you're done. I believe that the only person who can do this is Kohsuke, since he owns the project.

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          pom.xml
          http://jenkins-ci.org/commit/remoting/07570271165133ef0b3a5b41134e4bcc59a6b410
          Log:
          [FIXED JENKINS-20204] Keep up with the new security requirements with Java7u51.

          Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/manifest.html
          Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/mixed_code.html

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/remoting/07570271165133ef0b3a5b41134e4bcc59a6b410 Log: [FIXED JENKINS-20204] Keep up with the new security requirements with Java7u51. Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/manifest.html Reference: http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/security/mixed_code.html

          There were two issues here. One is the lack of the Permission attribute in the manifest, and the other is apparent change in the root CA certificate list in Java7, breaking the certificate chain to CA.

          Both are fixed in remoting 2.35.

          Kohsuke Kawaguchi added a comment - There were two issues here. One is the lack of the Permission attribute in the manifest, and the other is apparent change in the root CA certificate list in Java7, breaking the certificate chain to CA. Both are fixed in remoting 2.35.

          Henrik Skupin added a comment -

          Wonderful news Kohsuke! Will this be backported to the latest 1.532.x LTS version?

          Henrik Skupin added a comment - Wonderful news Kohsuke! Will this be backported to the latest 1.532.x LTS version?

          And in the future 1.557? I'm hitting this with the latest 1.556

          Christophe Cornu added a comment - And in the future 1.557? I'm hitting this with the latest 1.556

          A workaround is to use
          java -jar slave.jar -jnlpUrl http://yourserver:port/computer/slave-name/slave-agent.jnlp

          as indicated in https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds Launch slave agent headlessly

          Christophe Cornu added a comment - A workaround is to use java -jar slave.jar -jnlpUrl http://yourserver:port/computer/slave-name/slave-agent.jnlp as indicated in https://wiki.jenkins-ci.org/display/JENKINS/Distributed+builds Launch slave agent headlessly

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          pom.xml
          http://jenkins-ci.org/commit/jenkins/11458c956e64673d99a9dc2c05cfd5f9533b4e1b
          Log:
          [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html pom.xml http://jenkins-ci.org/commit/jenkins/11458c956e64673d99a9dc2c05cfd5f9533b4e1b Log: [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3267
          [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core. (Revision 11458c956e64673d99a9dc2c05cfd5f9533b4e1b)

          Result = SUCCESS
          kohsuke : 11458c956e64673d99a9dc2c05cfd5f9533b4e1b
          Files :

          • pom.xml
          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #3267 [JENKINS-20769 JENKINS-20204] integrated remoting 2.35 in the core. (Revision 11458c956e64673d99a9dc2c05cfd5f9533b4e1b) Result = SUCCESS kohsuke : 11458c956e64673d99a9dc2c05cfd5f9533b4e1b Files : pom.xml changelog.html

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          pom.xml
          http://jenkins-ci.org/commit/jenkins/a89aa713b2ba5c325cd296d5733a565aa5cc63ec
          Log:
          [JENKINS-20769 JENKINS-20204] Integrating remoting 2.36

          Fixed a bug Jesse found in remoting

          (cherry picked from commit 75447b57b655e38fdb48f1e854a4b287071342cf)

          Conflicts:
          pom.xml

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml http://jenkins-ci.org/commit/jenkins/a89aa713b2ba5c325cd296d5733a565aa5cc63ec Log: [JENKINS-20769 JENKINS-20204] Integrating remoting 2.36 Fixed a bug Jesse found in remoting (cherry picked from commit 75447b57b655e38fdb48f1e854a4b287071342cf) Conflicts: pom.xml

          Oleg Nenashev added a comment -

          @Kohsuke
          I still see the issue on remoting-2.36...

          java version "1.7.0_51"
          Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
          Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

          Manifest of the slave.jar

          Manifest-Version: 1.0
          Trusted-Library: true
          Application-Name: Jenkins Remoting Agent
          Build-Jdk: 1.7.0_07
          Built-By: kohsuke
          Permissions: all-permissions
          Created-By: Apache Maven
          Main-Class: hudson.remoting.Launcher
          Version: 2.36
          Codebase: *
          Archiver-Version: Plexus Archiver

          Name: org/kohsuke/args4j/MapSetter.class
          SHA-256-Digest: tyuIM4M9anur1hStvbgsYrs+g4WqVjGY0zgPEr1z4jw=

          Name: org/jenkinsci/constant_pool_scanner/ConstantPool$1$1.class
          SHA-256-Digest: UKGAapa919i1hiZJuSy1xx7dVEgonnjgqNxghQjWDMo=

          Name: hudson/remoting/DelegatingCallable.class
          SHA-256-Digest: 3eiABqJQGmXrLl5omnmV7YOVh/r7DAh21TQa9zqYntE=

          ...

          Oleg Nenashev added a comment - @Kohsuke I still see the issue on remoting-2.36... java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode) Manifest of the slave.jar Manifest-Version: 1.0 Trusted-Library: true Application-Name: Jenkins Remoting Agent Build-Jdk: 1.7.0_07 Built-By: kohsuke Permissions: all-permissions Created-By: Apache Maven Main-Class: hudson.remoting.Launcher Version: 2.36 Codebase: * Archiver-Version: Plexus Archiver Name: org/kohsuke/args4j/MapSetter.class SHA-256-Digest: tyuIM4M9anur1hStvbgsYrs+g4WqVjGY0zgPEr1z4jw= Name: org/jenkinsci/constant_pool_scanner/ConstantPool$1$1.class SHA-256-Digest: UKGAapa919i1hiZJuSy1xx7dVEgonnjgqNxghQjWDMo= Name: hudson/remoting/DelegatingCallable.class SHA-256-Digest: 3eiABqJQGmXrLl5omnmV7YOVh/r7DAh21TQa9zqYntE= ...

          Oleg Nenashev added a comment -

          Hmm...
          My apologies, the previous error has been caused by improper Jenkins URL in global configs => JNLP used jar from another server

          Oleg Nenashev added a comment - Hmm... My apologies, the previous error has been caused by improper Jenkins URL in global configs => JNLP used jar from another server

            kohsuke Kohsuke Kawaguchi
            whimboo Henrik Skupin
            Votes:
            19 Vote for this issue
            Watchers:
            34 Start watching this issue

              Created:
              Updated:
              Resolved: