[gentoo-user] The latest java plugin is a giant PITA

[gentoo-user] The latest java plugin is a giant PITA

[walt]

I admit that Oracle finally did something right by requiring a white-list
of all java websites you want to use, but it's taken me all morning to
understand how to do it.

AFAICT, the only way to white-list a website is to use the Java Control
Panel (jcontrol) and type the full URL including the http:// or preferably
the https:// if you don't want a nag screen.

For example, here's a site I visit every morning:

http://www.goes.noaa.gov/goes-w.html   which lets me watch a java-powered
image loop of the weather over the Pacific Ocean.

Now I click on the button to animate the image, and I get a pop-up saying
that this untrusted website wants to do something awful and refuses to let
it run java, period.  No explanation of how I can 'trust' the website.

How many people are going to figure out they need to run the Java Control
Panel and manually add this site to the list of trusted sites?

And, now that I've added "http://www.goes.noaa.gov" manually, I try the
site again.

Nope.  The jar file I need is on a "different domain" (www.sdd.noaa.gov)
so now I need to add that URL to the white list <sigh> including http://

Now, I agree that they did it right from a security point of view, but
jeez, they could have done the user interface a bit better.

Or maybe they did it better and I haven't found it yet?

Re: [gentoo-user] The latest java plugin is a giant PITA

[J. Roeleveld]

On Sat, February 1, 2014 16:59, walt wrote:
> I admit that Oracle finally did something right by requiring a white-list
> of all java websites you want to use, but it's taken me all morning to
> understand how to do it.
>
> AFAICT, the only way to white-list a website is to use the Java Control
> Panel (jcontrol) and type the full URL including the http:// or preferably
> the https:// if you don't want a nag screen.
>
> For example, here's a site I visit every morning:
>
> http://www.goes.noaa.gov/goes-w.html   which lets me watch a java-powered
> image loop of the weather over the Pacific Ocean.
>
> Now I click on the button to animate the image, and I get a pop-up saying
> that this untrusted website wants to do something awful and refuses to let
> it run java, period.  No explanation of how I can 'trust' the website.
>
> How many people are going to figure out they need to run the Java Control
> Panel and manually add this site to the list of trusted sites?
>
> And, now that I've added "http://www.goes.noaa.gov" manually, I try the
> site again.
>
> Nope.  The jar file I need is on a "different domain" (www.sdd.noaa.gov)
> so now I need to add that URL to the white list <sigh> including http://
>
> Now, I agree that they did it right from a security point of view, but
> jeez, they could have done the user interface a bit better.
>
> Or maybe they did it better and I haven't found it yet?

If there is a better way, please let me know.

The IPMI of my servers use a Java application to allow me to see the console.
The errors I got have included:
- You are using an old version, please upgrade
- This site is untrusted / certificate is wrong
- This java application is blocked

The last one led me to a page actually showing me how to "fix" this.

An easier way then to use the silly jconsole might be found in the
following location:

~/.java/deployment/security/

HTH,

Joost

PS. If anyone knows how to get an SSL-certificate that is accepted by
this, please let me know.

[gentoo-user] Re: The latest java plugin is a giant PITA

[walt]

On 02/01/2014 10:30 AM, J. Roeleveld wrote:
> On Sat, February 1, 2014 16:59, walt wrote:
>> I admit that Oracle finally did something right by requiring a white-list
>> of all java websites you want to use, but it's taken me all morning to
>> understand how to do it.
>>
>> AFAICT, the only way to white-list a website is to use the Java Control
>> Panel (jcontrol) and type the full URL including the http:// or preferably
>> the https:// if you don't want a nag screen.
>>
>> For example, here's a site I visit every morning:
>>
>> http://www.goes.noaa.gov/goes-w.html   which lets me watch a java-powered
>> image loop of the weather over the Pacific Ocean.
>>
>> Now I click on the button to animate the image, and I get a pop-up saying
>> that this untrusted website wants to do something awful and refuses to let
>> it run java, period.  No explanation of how I can 'trust' the website.
>>
>> How many people are going to figure out they need to run the Java Control
>> Panel and manually add this site to the list of trusted sites?
>>
>> And, now that I've added "http://www.goes.noaa.gov" manually, I try the
>> site again.
>>
>> Nope.  The jar file I need is on a "different domain" (www.sdd.noaa.gov)
>> so now I need to add that URL to the white list <sigh> including http://
>>
>> Now, I agree that they did it right from a security point of view, but
>> jeez, they could have done the user interface a bit better.
>>
>> Or maybe they did it better and I haven't found it yet?
> 
> If there is a better way, please let me know.
> 
> The IPMI of my servers use a Java application to allow me to see the console.
> The errors I got have included:
> - You are using an old version, please upgrade
> - This site is untrusted / certificate is wrong
> - This java application is blocked
> 
> The last one led me to a page actually showing me how to "fix" this.
> 
> An easier way then to use the silly jconsole might be found in the
> following location:
> 
> ~/.java/deployment/security/

WTF?  No XML? ;)

> 
> HTH,

Very much, thanks.
  
> PS. If anyone knows how to get an SSL-certificate that is accepted by
> this, please let me know.

I don't think I understand the question.  jconsole has a button marked
"Manage Certificates", that's not what you want?

Re: [gentoo-user] The latest java plugin is a giant PITA

[Stroller]

On Sat, 1 February 2014, at 6:30 pm, J. Roeleveld <joost@antarean.org> wrote:
> ...
> If there is a better way, please let me know.
> 
> The IPMI of my servers use a Java application to allow me to see the console.

Not Dell DRACs, by any chance?

I thought of them when I saw Walt's original posting earlier.

I have a Black Box KVM-IP here which offers remote viewing by proper pure VNC - I think its onboard server is based on Tight VNC. It offers a reassuring certitude that it will never be made obsolete by some future Java update.

Stroller.

Re: [gentoo-user] The latest java plugin is a giant PITA

[J. Roeleveld]

[-- Attachment #1: Type: text/plain, Size: 1129 bytes --]

On 2 February 2014 01:21:52 CET, Stroller <stroller@stellar.eclipse.co.uk> wrote:
>
>On Sat, 1 February 2014, at 6:30 pm, J. Roeleveld <joost@antarean.org>
>wrote:
>> ...
>> If there is a better way, please let me know.
>> 
>> The IPMI of my servers use a Java application to allow me to see the
>console.
>
>Not Dell DRACs, by any chance?
>
>I thought of them when I saw Walt's original posting earlier.
>
>I have a Black Box KVM-IP here which offers remote viewing by proper
>pure VNC - I think its onboard server is based on Tight VNC. It offers
>a reassuring certitude that it will never be made obsolete by some
>future Java update.
>
>Stroller.

No. TYAN mainboards with Aspeed IPMI/KVM onboard.

I like the option to be able to 'mount' an iso or usb stick from my laptop and make the server think I put a cd/dvd in a non existent drive in the server. Even though I am nowhere near.

I still have some older Java plugins. If need be, I will create a VM with an old plugin that I can use to access the servers. 

--
Joost
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[-- Attachment #2: Type: text/html, Size: 1614 bytes --]

Re: [gentoo-user] Re: The latest java plugin is a giant PITA

[J. Roeleveld]

On 1 February 2014 20:15:13 CET, walt <w41ter@gmail.com> wrote:
>On 02/01/2014 10:30 AM, J. Roeleveld wrote:
>> On Sat, February 1, 2014 16:59, walt wrote:
>> An easier way then to use the silly jconsole might be found in the
>> following location:
>> 
>> ~/.java/deployment/security/
>
>WTF?  No XML? ;)

Could have been worse. Some proprietary binary format.

>> HTH,
>
>Very much, thanks.
>  
>> PS. If anyone knows how to get an SSL-certificate that is accepted by
>> this, please let me know.
>
>I don't think I understand the question.  jconsole has a button marked
>"Manage Certificates", that's not what you want?

The webinterface allows me to upload a new SSL certificate. I will need to do this as one of the servers has an outdated SSL certificate.

If I know how to fabricate one that expires in 10 years and is easily accepted by Java. I will be happy.

--
Joost


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: [gentoo-user] The latest java plugin is a giant PITA

[Stroller]

[-- Attachment #1: Type: text/plain, Size: 505 bytes --]


On Sun, 2 February 2014, at 1:39 pm, J. Roeleveld <joost@antarean.org> wrote:
> ...
> I like the option to be able to 'mount' an iso or usb stick from my laptop and make the server think I put a cd/dvd in a non existent drive in the server. Even though I am nowhere near.

Yeah, the DRACs, and many others, do this too.

It's freakin' amazing to be able to reinstall the o/s from halfway around the world (or across town, as the case may be), and to know that you can do so safely.

Stroller.
 

[-- Attachment #2: Type: text/html, Size: 1913 bytes --]