Applets not working due to expired or not-yet-valid certificate
803 views
Skip to first unread message
Erwin Vast
Jul 15, 2015, 7:57:09 AM7/15/15
to xnat_di...@googlegroups.com
Hi all,
On a new XNAT installation I get the following Java error when running the applet (and after enabling NPAPI support):
"Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running."
Also see attached screenshot. Adding the site to the Java exception list works, but it would be better if this would not be needed for all users.
Is there an (easy) solution for this? I'm using Chrome 43.0.2357.134m and Java 1.8.0_31.
Thanks,
Erwin
Herrick, Rick
Jul 15, 2015, 9:30:25 AM7/15/15
to xnat_di...@googlegroups.com
This is an issue with Chrome specifically:
It’s what we’re referring to as “Chromageddon” and we are planning to address it at today’s XNAT developer teleconference.
For now, you can work around it by enabling NPAPI support in Chrome, which is described on the page linked above. Long term, i.e. after September according to Google’s timeline, Chrome will not support NPAPI at
all. At that point, you will be able to use Chrome with the “applets” launching as Java Web Start applications or you can use other browsers that continue to support NPAPI. Firefox and Safari currently support NPAPI to
various degrees.
Long term we’re working to come up with alternatives to the applet approach, but haven’t really found anything that gives us the combination of ease of deployment (even with the problems around running the Java plugin on various platforms, our applets
have had the advantage of not requiring users to install completely separate applications) and functionality (HTML5 and JavaScript are inadequate for processing DICOM on the client side). So… we’ll see what we can come up with.
--
Rick Herrick
Sr. Programmer/Analyst
Neuroinformatics Research Group
Washington University School of Medicine
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To post to this group, send email to xnat_di...@googlegroups.com.
Visit this group at http://groups.google.com/group/xnat_discussion.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To post to this group, send email to xnat_di...@googlegroups.com.
Visit this group at http://groups.google.com/group/xnat_discussion.
For more options, visit https://groups.google.com/d/optout.
The material in this message is private and may contain Protected Healthcare Information (PHI). If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
Herrick, Rick
Jul 15, 2015, 10:17:41 AM7/15/15
to xnat_di...@googlegroups.com
As someone just pointed out to me, I answered a different question from what you asked. The question I
did answer has been on my mind a lot recently for obvious reasons and I saw what I wanted to see when I read your question :)
The problem you’re seeing is actually because of an expired certificate. Our code signing certificate expired a few days ago. We have updated our code signing processing to incorporate a trusted authority timestamp, which will allow jars to remain valid
even after the signing certificate expires. However, this doesn’t help existing code signed before we incorporated the timestamp function.
What I’ll do is pull the applet jars from our 1.6.3 and 1.6.4 releases and re-sign them with timestamps and make those bundles available for download. If anyone is running earlier versions of XNAT and requires re-signed jars, please contact me off the
discussion group and let me know what version you have. I will send out a post to the discussion group when those are available for download. That will be sometime later today.
Our upcoming 1.6.5 release will incorporate signed and timestamped jars for the applets as well.
--
Rick Herrick
Sr. Programmer/Analyst
Neuroinformatics Research Group
Washington University School of Medicine
From: "xnat_di...@googlegroups.com" on behalf of Erwin Vast
Reply-To: "xnat_di...@googlegroups.com"
Date: Wednesday, July 15, 2015 at 6:57 AM
To: "xnat_di...@googlegroups.com"
Subject: [XNAT Discussion] Applets not working due to expired or not-yet-valid certificate
Reply-To: "xnat_di...@googlegroups.com"
Date: Wednesday, July 15, 2015 at 6:57 AM
To: "xnat_di...@googlegroups.com"
Subject: [XNAT Discussion] Applets not working due to expired or not-yet-valid certificate
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To post to this group, send email to xnat_di...@googlegroups.com.
Visit this group at http://groups.google.com/group/xnat_discussion.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To post to this group, send email to xnat_di...@googlegroups.com.
Visit this group at http://groups.google.com/group/xnat_discussion.
For more options, visit https://groups.google.com/d/optout.
George Kowalski
Jul 16, 2015, 9:17:07 AM7/16/15
to xnat_di...@googlegroups.com
I'm getting the same error on Firefox 39.0 with Java 1.8.0_51
G
George Kowalski
Jul 16, 2015, 9:24:58 AM7/16/15
to xnat_di...@googlegroups.com
Are there newly signed Jars we can download and update right now, independent of a full xnat upgrade ? I can't find them on the xnat.org web site ...
Herrick, Rick
Jul 16, 2015, 9:35:31 AM7/16/15
to xnat_di...@googlegroups.com
No, we’ll be completing those bundles for download today. I’ll send out an email when they’re available for download.
From: xnat_di...@googlegroups.com [mailto:xnat_di...@googlegroups.com] On Behalf Of George Kowalski
Sent: Thursday, July 16, 2015 8:25 AM
To: xnat_di...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
xnat_discussi...@googlegroups.com.
To post to this group, send email to
xnat_di...@googlegroups.com.
Visit this group at http://groups.google.com/group/xnat_discussion.
For more options, visit https://groups.google.com/d/optout.
Herrick, Rick
Jul 16, 2015, 7:11:55 PM7/16/15
to xnat_di...@googlegroups.com
We have created some downloads for updated applet jars for the 1.6.4 release. Instructions and links are available on our blog:
As noted in the end there, we will be working on other versions of the applets in the next day or two.
--
Rick Herrick
Sr. Programmer/Analyst
Neuroinformatics Research Group
Washington University School of Medicine
Erwin Vast
Jul 17, 2015, 3:02:23 AM7/17/15
to xnat_di...@googlegroups.com
Thanks Rick for the quick fix!
We will update our XNAT servers accordingly.
Kind regards,
Erwin
Simon Doran
Jul 17, 2015, 4:38:04 AM7/17/15
to xnat_di...@googlegroups.com
Hi Rick,
Chromageddon aside, this whole Java applet business is a real problem. Not being able to make it to the July developers' telecon, I thought I'd briefly post my experiences here.
The only thing that works reliably for us is the Manage Files dialog, which I believe is not an applet. In particular, our users have so many problems getting the Image Download applet to run consistently that we have given up using it altogether. Yesterday, while one of our international collaborators was visiting us from abroad, he came to me with a hard drive and I had to zip up the contents of the entire arc001 directory for a particular project, simply because it was the easiest way for us to get him all the data for this large project.
Given this background, your comment
Long term we’re working to come up with alternatives to the applet approach, but haven’t really found anything that gives us the combination of ease of deployment (even with the problems around running the Java plugin on various platforms, our applets have had the advantage of not requiring users to install completely separate applications) and functionality (HTML5 and JavaScript are inadequate for processing DICOM on the client side). So… we’ll see what we can come up with.
seems a bit depressing. Looking back at the previous roadmaps for XNAT development, I thought that XNAT 1.7 was originally supposed to have a completely new data transfer tool. Is that no longer still in the pipeline?
Surely, XNAT needs to be aiming for something that doesn't require each individual user to configure security exceptions on their systems and potentially update their Java when they want to use XNAT? I know there are lots of complexities, but at the end of the day, for the downloads isn't it just a single zip file that is going to end up on the user's disk?
I'm sure I'm missing something obvious, but why can't one just improve the functionality of the Manage Files code?
Best wishes,
Simon
Daniel Marcus
Jul 17, 2015, 8:56:23 AM7/17/15
to xnat_di...@googlegroups.com
Hi Simon,
The upload tool is particularly challenging b/c it requires complex client-side operations on DICOM files in order to anonymize the data before transfer over the network. So after quite a lot of exploration of various technologies, it looks like we will continue with Java. HOWEVER, it definitely will NOT be a Java applet. It's the applet technology that causes most of the issues, so the short-term solution is to convert the current uploader to java webstart. That will make most horrible issues go away and can be done for 1.6.5. Longer term, either 1.7 or 1.8), we plan a full rewrite. Still java but a much better tool, either as webstart or installable application.
As for the other applets in XNAT.. The viewer has already been replaced with a javascript viewer that's pretty nice I think. Much faster and more flexible than the old applet. The downloader applet is indeed pretty horrible and is begging to be replaced. But I don't think expanding the current Manage Files will be sufficient. It lacks a lot of functionality (resume, checksum verification, unpacking, etc) that would be hard to do in html/javascript. So we'll likely be continuing the trend of replacing an applet with installable java. I'm not thrilled about it, but we haven't identified any suitable alternatives. There are a few options that we're looking at that would allow eventual migration back to the browser when browsers finally get their act together. And we're definitely open to input from the XNAT community on various technologies to consider! So speak up everyone if you've got ideas!
-Dan
Herrick, Rick
Jul 17, 2015, 5:17:51 PM7/17/15
to xnat_di...@googlegroups.com
OK, one more update on this and hopefully that’s all we’ll need!
1.6.4, 1.6.3, and 1.6.2 are all now uploaded and available, with the URLs noted in the updated blog post above. I’ve also updated the corresponding download bundles.
If you run into any difficulties using these updated applets, please let me know ASAP. We have done some basic testing to verify that the applets load and can perform their basic functions, which means that they can pass the Java security manager tests.
Simon Doran
Jul 17, 2015, 6:03:02 PM7/17/15
to xnat_di...@googlegroups.com
Hi Rick and Dan,
Thanks for the update and for all the efforts on this tricky problem!
Simon
Reply all
Reply to author
Forward
0 new messages