Migrate to the Java 2 security model

Similar Messages

• Java Security Model: Java Protection Domains

  1.     Policy Configuration
  Until now, security policy was hard-coded in the security manager used by Java applications. This gives us the effective but rigid Java sandbox for applets.A major enhancement to the Java sandbox is the separation of policy from mechanism. Policy is now expressed in a separate, persistent format. The policy is represented in simple ascii, and can be modified and displayed by any tools that support the policy syntax specification. This allows:
  o     Configurable policies -- no longer is the security policy hard-coded into the application.
  o     Flexible policies -- Since the policy is configurable, system administrators can enforce global polices for the enterprise. If permitted by the enterprise's global policy, end-users can refine the policy for their desktop.
  o     Fine-grain policies -- The policy configuration file uses a simple, extensible syntax that allows you to specify access on specific files or to particular network hosts. Access to resources can be granted only to code signed by trusted principals.
  o     Application policies -- The sandbox is generalized so that applications of any stripe can use the policy mechanism. Previously, to establish a security policy for an application, an developer needed to implement a subclass of the SecurityManager, and hard-code the application's policies in that subclass. Now, the application can make use of the policy file and the extensible Permission object to build an application whose policy is separate from the implementation of the application.
  o     Extensible policies -- Application developers can choose to define new resource types that require fine-grain access control. They need only define a new Permission object and a method that the system invokes to make access decisions. The policy configuration file and policy tools automatically support application-defined permissions. For example, an application could define a CheckBook object and a CheckBookPermission.
  2.     X.509v3 Certificate APIs
  Public-key cryptography is an effective tool for associating an identity with a piece of code. JavaSoft is introducing API support in the core APIs for X.509v3 certificates. This allows system administrators to use certificates from enterprise Certificate Authorities (CAs), as well as trusted third-party CAs, to cryptographically establish identities.
  3.     Protection Domains
  The central architectural feature of the Java security model is its concept of a Protection Domain. The Java sandbox is an example of a Protection Domain that places tight controls around the execution of downloaded code. This concept is generalized so that each Java class executes within one and only one Protection Domain, with associated permissions.
  When code is loaded, its Protection Domain comes into existence. The Protection Domain has two attributes - a signer and a location. The signer could be null if the code is not signed by anyone. The location is the URL where the Java classes reside. The system consults the global policy on behalf of the new Protection Domain. It derives the set of permissions for the Protection Domain based on its signer/location attributes. Those permissions are put into the Protection Domain's bag of permissions.
  4.     Access Decisions
  Access decisions are straightforward. When code tries to access a protected resource, it creates an access request. If the request matches a permission contained in the bag of permissions, then access is granted. Otherwise, access is denied. This simple way of making access decisions extends easily to application-defined resources and access control. For example, the banking application allows access to the CheckBook only when the executing code holds the appropriate CheckBookPermission.
  Sandbox model for Security
  Java is supported in applications and applets, small programs that spurred Java's early growth and are executable in a browser environment. The applet code is downloaded at runtime and executes in the context of a JVM hosted by the browser. An applet's code can be downloaded from anywhere in the network, so Java's early designers thought such code should not be given unlimited access to the target system. That led to the sandbox model -- the security model introduced with JDK 1.0.
  The sandbox model deems all code downloaded from the network untrustworthy, and confines the code to a limited area of the browser -- the sandbox. For instance, code downloaded from the network could not update the local file system. It's probably more accurate to call this a "fenced-in" model, since a sandbox does not connote strict confinement.
  While this may seem a very secure approach, there are inherent problems. First, it dictates a rigid policy that is closely tied to the implementation. Second, it's seldom a good idea to put all one's eggs in one basket -- that is, it's unwise to rely entirely on one approach to provide overall system security.
  Security needs to be layered for depth of defense and flexible enough to accommodate different policies -- the sandbox model is neither.
  java.security.ProtectionDomain
  This class represents a unit of protection within the Java application environment, and is typically associated with a concept of "principal," where a principal is an entity in the computer system to which permissions (and as a result, accountability) are granted.
  A domain conceptually encloses a set of classes whose instances are granted the same set of permissions. Currently, a domain is uniquely identified by a CodeSource, which encapsulates two characteristics of the code running inside the domain: the codebase (java.net.URL), and a set of certificates (of type java.security.cert.Certificate) for public keys that correspond to the private keys that signed all code in this domain. Thus, classes signed by the same keys and from the same URL are placed in the same domain.
  A domain also encompasses the permissions granted to code in the domain, as determined by the security policy currently in effect.
  Classes that have the same permissions but are from different code sources belong to different domains.
  A class belongs to one and only one ProtectionDomain.
  Note that currently in Java 2 SDK, v 1.2, protection domains are created "on demand" as a result of class loading. The getProtectionDomain method in java.lang.Class can be used to look up the protection domain that is associated with a given class. Note that one must have the appropriate permission (the RuntimePermission "getProtectionDomain") to successfully invoke this method.
  Today all code shipped as part of the Java 2 SDK is considered system code and run inside the unique system domain. Each applet or application runs in its appropriate domain, determined by its code source.
  It is possible to ensure that objects in any non-system domain cannot automatically discover objects in another non-system domain. This partition can be achieved by careful class resolution and loading, for example, using different classloaders for different domains. However, SecureClassLoader (or its subclasses) can, at its choice, load classes from different domains, thus allowing these classes to co-exist within the same name space (as partitioned by a classloader).
  jarsigner and keytool
  example : cd D:\EicherProject\EicherWEB\Web Content jarsigner -keystore eicher.store source.jar eichercert
  The javakey tool from JDK 1.1 has been replaced by two tools in Java 2.
  One tool manages keys and certificates in a database. The other is responsible for signing and verifying JAR files. Both tools require access to a keystore that contains certificate and key information to operate. The keystore replaces the identitydb.obj from JDK 1.1. New to Java 2 is the notion of policy, which controls what resources applets are granted access to outside of the sandbox (see Chapter 3).
  The javakey replacement tools are both command-line driven, and neither requires the use of the awkward directive files required in JDK 1.1.x. Management of keystores, and the generation of keys and certificates, is carried out by keytool. jarsigner uses certificates to sign JAR files and to verify the signatures found on signed JAR files.
  Here we list simple steps of doing the signing. We assume that JDK 1.3 is installed and the tools jarsigner and keytool that are part of JDK are in the execution PATH. Following are Unix commands, however with proper changes, these could be used in Windows as well.
  1. First generate a key pair for our Certificate:
  keytool -genkey -keyalg rsa -alias AppletCert
  2. Generate a certification-signing request.
  keytool -certreq -alias AppletCert > CertReq.pem
  3. Send this CertReq.pem to VeriSign/Thawte webform. Let the signed reply from them be SignedCert.pem.
  4. Import the chain into keystore:
  keytool -import -alias AppletCert -file SignedCert.pem
  5. Sign the CyberVote archive �TeleVote.jar�:
  jarsigner TeleVote.jar AppletCert
  This signed applet TeleVote.jar can now be made available to the web server. For testing purpose we can have our own test root CA. Following are the steps to generate a root CA by using openssl.
  1. Generate a key pair for root CA:
  openssl genrsa -des3 -out CyberVoteCA.key 1024
  2. Generate an x509 certificate using the above keypair:
  openssl req -new -x509 -days key CyberVoteCA.key -out CyberVoteCA.crt
  3. Import the Certificate to keystore.
  keytool -import -alias CyberVoteRoot -file CyberVoteCA.crt
  Now, in the step 3 of jar signing above, instead of sending the request certificate to VeriSign/Thawte webform for signing, we 365 - can sign using our newly created root CA using this command:
  openssl x509 -req -CA CyberVoteCA.crt -CAkey CyberVoteCA.key -days 365 -in CertReq.pem -out SignedCert.pem �Cacreateserial
  However, our test root CA has to be imported to the keystore of voter�s web browser in some way. [This was not investigated. We used some manual importing procedure which is not recommended way]
  The Important Classes
  The MessageDigest class, which is used in current CyberVote mockup system (see section 2), is an engine class designed to provide the functionality of cryptographically secure message digests such as SHA-1 or MD5. A cryptographically secure message digest takes arbitrary-sized input (a byte array), and generates a fixed-size output, called a digest or hash. A digest has the following properties:
  � It should be computationally infeasible to find two messages that hashed to the same value.
  � The digest does not reveal anything about the input that was used to generate it.
  Message digests are used to produce unique and reliable identifiers of data. They are sometimes called the "digital fingerprints" of data.
  The (Digital)Signature class is an engine class designed to provide the functionality of a cryptographic digital signature algorithm such as DSA or RSA with MD5. A cryptographically secure signature algorithm takes arbitrary-sized input and a private key and generates a relatively short (often fixed-size) string of bytes, called the signature, with the following properties:
  � Given the public key corresponding to the private key used to generate the signature, it should be possible to verify the authenticity and integrity of the input.
  � The signature and the public key do not reveal anything about the private key.
  A Signature object can be used to sign data. It can also be used to verify whether or not an alleged signature is in fact the authentic signature of the data associated with it.
  ----Cheers
  ---- Dinesh Vishwakarma

  Hi,
  these concepts are used and implemented in jGuard(www.jguard.net) which enable easy JAAS integration into j2ee webapps across application servers.
  cheers,
  Charles(jGuard team).

• Please Migrate to the java 2 Security Model.

  HI, this is my first post BTW, I dont know much about Java its just that when i try to access my work from home(united Airlines). It was working fine until i had to format My hd and since u can no longer download java from the microsoft site i had to come here to download the newer version and havent been able to access it since. Is there a site or anywhere that i can download hte old version perhaps or get this one to work? when i tyr to login i get this Error in the Java Console:
  ipsNetletStatus.init()
  Netlet Starting (16)
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  Netlet found Netscape
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  Netlet config: https://gw-r5.airline.compuserve.com:443/http://as-r5.airline.compuserve.com:8080/NetletConfig?func=loadResources
  ipsNetletStatus.start()
  ...ipsNetletStatus.run() is starting
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  netscape.javascript.JSException: Failure to evaluate netscape.security.PrivilegeManager.enablePrivilege("UniversalPreferencesRead");navigator.preference("network.proxy.ssl");
  at sun.plugin.javascript.ocx.JSObject.eval(Unknown Source)
  at BrowserProxyInfo.<init>(BrowserProxyInfo.java:58)
  at SServer.loadParameters(SServer.java:140)
  at SServer.start(SServer.java:111)
  at sun.applet.AppletPanel.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)

  Lokk at this thread http://forum.java.sun.com/thread.jsp?forum=31&thread=297109
  and search the Forums using the term "java 2 security model" (include the quote marks)

• Migrate to the Java 2 security model instead...

  Since I installed Java 4 ver 1.4 on my computer, I have not been able to access my homebanking. In the Java console I get the following message:
  1.4.0 on Windows XP
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  What does it mean, and how do I fix the problem???
  Thanks in advance!

  This is a real pain. I can't roll out Java 1.4 inside our company because we use several applets for which we do not have the source code, and they no longer work because of this limitation. Sun needs to fix this if they want people to upgrade to Java 1.4.

• Java Security Model for Web Apllication Security

  Hi,
  Any one can tell me about Java Security model used in web site protection. what are th eAPI's used to implement this model on Websites.
  I am keen to know only about the Authentication and Authorization secutiry.
  Thanks,
  Vivek

  Hi Ram, thanks for reply. I appreciate your comments.
  This is a very interesting topic because we need to know how much flexibility we have in order to apply security policies to our services. After all, SOA is about flexibility (with appropriate level of control), isn't it? :-P
  Option 1 (WSDL files) is a reasonable one. We could create "views" of the same service using ESB. But I'm concerned if this approach ("Security Oriented Views" of a service) can lead to difficulties in operational governance and appropriate discovery and reuse of the service.
  Option 2 is also something to be concerned, as we could end up designing "Security Oriented Architecture" :-P
  Option 3 (Customization through OAM) is also reasonable, but I don't know if this is really possible to achieve since OAM is mostly related to web resources. It would be nice if we had a chance to implement this in WSM instead.
  Denis
  Message was edited by:
  [email protected]
  Message was edited by:
  [email protected]

• HT1338 There is a lot of talk about the Java security issues and the ability to download a patch fix, do i need to do this or will software update pick this up for me?

  There is a lot of talk about the Java security issues and the ability to download an apple patch fix, do i need to do this or will software update pick this up for me?

  Thanks for that, how do I establish if I have Java installed as on Safari preferences it indicates the following
  Web content - Enable Java
                      - Enable JavaScript

• Should I be concerned about the JAVA security scare?

  I use an iMAC with OSX 10.8.2 Mountain Lion.  
  In my SAFARI Security Preferences Java is Enabled.
  I am always reluctant to do anything to change existing settings.
  Should I Disable Java?

  Oracle's released update 7u11 which fixes the exploit.

• Grants in the AOL Security Model

  Hi
  Here's is the business scenario:
  1. There is an Object 'Notes' defined that stores Notes (Notes are text information captured in say a Service Request submitted by an Employee). These are stored in table 'JTF_NOTES_B'.
  2. There are two Object Instance Sets defined for this object - Private Notes and All Notes.
  a. Private Notes are Notes that only its creator can view (it is a status on the Note) - the predicate on this is:
  &TABLE_ALIAS.NOTE_STATUS = 'PRIVATE'
  AND &TABLE_ALIAS.CREATED_BY = FND_GLOBAL.USER_ID
  b. Public Notes are Note that can be viewed by anyone.
  &TABLE_ALIAS.NOTE_STATUS <> 'PRIVATE'
  3. There are two Grants defined:
  a. Grant to allow all users to view Private Notes that they have created
  b. Grant to allow all users to view all Public Notes (irrespective of the creator)
  Question:
  How are these two Grants resolved in the Database? Is it via a Union on these two Object Instance Sets like:
  select *
  from JTF_NOTES_B
  where &TABLE_ALIAS.NOTE_STATUS = 'PRIVATE'
  AND &TABLE_ALIAS.CREATED_BY = FND_GLOBAL.USER_ID
  UNION
  select *
  from JTF_NOTES_B
  where &TABLE_ALIAS.NOTE_STATUS <> 'PRIVATE'
  or via an OR clause like?
  select *
  from JTF_NOTES_B
  where ( &TABLE_ALIAS.NOTE_STATUS = 'PRIVATE'
  AND &TABLE_ALIAS.CREATED_BY = FND_GLOBAL.USER_ID)
  OR &TABLE_ALIAS.NOTE_STATUS <> 'PRIVATE'
  OR is there any other way that these two Grants will be resolved?
  Thanks.
  Edited by: dejoseph on Mar 18, 2013 1:16 PM

  Hi, Please go through the SQL query below.
  SELECT
  EL.InstanceName,
  COALESCE(C.Path, 'Unknown') AS ItemPath,
  EL.UserName,
  EL.ExecutionId,
  CASE(EL.RequestType)
  WHEN 0 THEN 'Interactive'
  WHEN 1 THEN 'Subscription'
  WHEN 2 THEN 'Refresh Cache'
  ELSE 'Unknown'
  END AS RequestType,
  EL.Format,
  Parameters,
  CASE(EL.ReportAction)
  WHEN 1 THEN 'Render'
  WHEN 2 THEN 'BookmarkNavigation'
  WHEN 3 THEN 'DocumentMapNavigation'
  WHEN 4 THEN 'DrillThrough'
  WHEN 5 THEN 'FindString'
  WHEN 6 THEN 'GetDocumentMap'
  WHEN 7 THEN 'Toggle'
  WHEN 8 THEN 'Sort'
  WHEN 9 THEN 'Execute'
  ELSE 'Unknown'
  END AS ItemAction,
  EL.TimeStart,
  YEAR(EL.TimeStart) AS Start_Year,
  MONTH(EL.TimeStart) AS Start_Month,
  DATENAME(MONTH,EL.TimeStart) AS Start_Month_Name,
  DATENAME(DW,EL.TimeStart) AS Start_Day_Of_Week,
  DATEPART(WEEKDAY,EL.TimeStart) AS Start_Day_Number_of_Week,
  EL.TimeEnd,
  EL.TimeDataRetrieval,
  EL.TimeProcessing,
  EL.TimeRendering,
  CASE(EL.Source)
  WHEN 1 THEN 'Live'
  WHEN 2 THEN 'Cache'
  WHEN 3 THEN 'Snapshot'
  WHEN 4 THEN 'History'
  WHEN 5 THEN 'AdHoc'
  WHEN 6 THEN 'Session'
  WHEN 7 THEN 'Rdce'
  ELSE 'Unknown'
  END AS Source,
  EL.Status,
  EL.ByteCount,
  EL.[RowCount],
  EL.AdditionalInfo,
  C.Name,
  C.CreatedByID,
  C.ModifiedByID,
  C.Description,
  C.CreationDate,
  C.ModifiedDate,
  CASE
  WHEN C.TYPE=1 THEN 'Folder'
  WHEN C.TYPE=2 THEN 'Report'
  WHEN C.TYPE=3 THEN 'XML'
  WHEN C.TYPE=4 THEN 'Linked Report'
  WHEN C.TYPE=5 THEN 'Data Source'
  WHEN C.TYPE=6 THEN 'Model'
  WHEN C.TYPE=8 THEN 'Shared Dataset'
  WHEN C.TYPE=9 THEN 'Report Part'
  END AS Type_Description
  FROM
  ExecutionLogStorage AS EL
  LEFT OUTER JOIN Catalog AS C ON EL.ReportID = C.ItemID
  Anything in the Format column is not 'RPL' is all exported in some manner or the other.
  Hope this helps...........
  Ione

• Netscape vs. Java 2 Security model

  Hi, new user here, downloaded and installed Java Virtual Machine plug-in, 1.4.2-b28, Wednesday evening. Added Java capability to IE 6.0.28. Running XP.
  Encountered a problem with a URL that had worked with Microsoft VM on another machine on my home network. Found the Java Console, which gave the following message: "Netscape security model is no longer supported. Please migrate to the Java 2 security model instead."
  Questions:
  1) Might this be the source of the problem I encountered?
  2) Is the Java 2 security model something I have to download, or is it some setting in IE?
  3) If this isn't the right forum for this question, which one is?
  That is, how do I "migrate" to Java 2, and why would I be using a Netscape Security model with the latest version of IE?
  I am not a developer, just a frustrated consumer!
  Warmest regards

  dear sir
  I am having the same problem as yours did you find a soloution for this problem
  Thanks & best regards

• Java 2 vs. Netscape security model

  Hi, new user here, downloaded and installed Java Virtual Machine plug-in, 1.4.2-b28, Wednesday evening. Added Java capability to IE 6.0.28. Running XP.
  Encountered a problem with a URL that had worked with Microsoft VM on another machine on my home network. Found the Java Console, which gave the following message: "Netscape security model is no longer supported. Please migrate to the Java 2 security model instead."
  Questions:
  1) Might this be the source of the problem I encountered?
  2) Is the Java 2 security model something I have to download, or is it some setting in IE?
  3) If this isn't the right forum for this question, which one is?
  That is, how do I "migrate"?
  I am not a developer, just a frustrated consumer!
  Warmest regards

  dear sir
  I am having the same problem as yours did you find a soloution for this problem
  Thanks & best regards

• Java 2 security model

  I started an applet once, i selected "Grant always" and afterwards everytime i try to start the applet i get the error message:
  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead
  How i should bypass the error?

  try:
  http://java.sun.com/docs/books/tutorial/security1.2/ove
  view/index.html
  regardsThanks for your replay, but it seems to me too compicate how i may overcome the problem!
  Regards,

• The role of java.security.acl in Java 2 security

  I have been trying to assess the role of the java.security.acl package within the Java 2 Security architecture. I have some questions regarding it.
  First where in the JVM are the interfaces of java.security.acl used? Are there any examples out there to guide developers in understanding their proper implementation?
  What is the relationship between this package and the core security package? There seems to be a Permission interface in the acl sub-package and an abstract Permission class in the core security package. Why is this the case? Why is the core abstract class not used instead of declaring a new Permission interface within the acl subpackage?
  Are not PermissionCollections and Permissions analogous to ACLs? If so then wouldn't that fact make the acl subpackage redundant?
  JSR 115 tries to bridge the gap between Java 2 Security in the SDK with security in J2EE. Namely enabling the RBAC-like approach to security in J2EE while using the AccessController of the J2SE to do the evalualtion of J2EE (Servlet/EJB) Permissions. Why are the Group and Owner interfaces defined here not leveraged in both JSR 115 and in general for Role Based Access Control?
  Could someone give some background on the vision behind creating the acl subpackage and how it relates to the historical progression of security advances in Java security architectures?
  Thanks much,
  Alex Karasulu

  I see from the defined interfaces that its an attempt at a formal approach to RBAC. However RBAC can be implemented without it all together using existing J2SE and JAAS based constructs. This does not answer the redundancy question. Could you elaborate a little bit more?
  Thanks,
  Alex

• What to do about the recent Java security issue?

  I am reading about the Java security issue. Do I need to do something with Safari?

  Open Safari preferences, click on the Security icon in the toolbar. Uncheck the Enable Java option.

• JavaBean - Netscape security model is no longer supported.

  Netscape security model is no longer supported.
  Please migrate to the Java 2 security model instead.
  Is logged to my java console window and the javabean will not be invoked. How do I migrate to the Java 2 security model. I'm tryÃng to use acrobat viewer for Java as a bean in my forms to open and print pdf documents.
  Thanks,
  Anders

  Anders,
  see also my response to your second posting on this:
  VBean
  My last information regarding the Acrobat Reader jar files were that they are based on Java 1.x, wchih may explain the problems you are running into. I tried these jar files one or two years ago and had problems getting them to work in a newer Java environment.
  Frank

• Dynamically adding JRE for IE, Java Security Warnings, & Next Gen Plugin.

  I wrote an portal application to control the environment for a third party application, the portal uses a JRE version that I supply with it, this was to ensure that users are using the same JRE so any issues can be limited to one version of Java. The only piece of the application that I could not specify the JRE version and path was for Internet Explorer. Please keep in mind that I do not control when the system JRE is updated or not, this is pushed to our systems and the latest JRE would be enabled automatically. I wanted to be able to dynamically add and enable the version of the JRE that Microsoft Internet Explorer uses for applets. So I was digging around recently and if I have the next-generation plugin enabled I could programmatically update the deployment.properties file prior to launching Internet Explorer(assuming I have closed all prior instances of IE that were running) to add and enable a version of the JRE which I choose to use. When I launch IE and run an applet I see that it is using the JRE I had dynamically supplied. However everytime I run the applet a Java security warning comes up saying "The application requires an earlier version of Java", I wanted to suppress this message but after research I tried adding 'deployment.security.mixcode=HIDE_RUN' to the deployment.properties, that did not work. I tried disabling the Next Generation Plugin, that worked to suppress the message however internet explorer was no longer using my dynamically supplied JRE for applets in IE, so that was not going to work for my purposes. My questions are:
  1. Is there a reliable way(not using ssvagent) to programmatically enable and disable Java's Next Generation Plugin option? (I want to make sure it is enabled when launching third party application from the portal)
  2. Is there a programmatic way to suppress the Java Security Warning "The application requires an earlier version of Java", without disabling Java's Next Generation Plugin option?
  deployment.properties entries after addition of my jre entry:
  #deployment.properties
  #Fri Sep 28 14:09:24 PDT 2012
  deployment.javapi.lifecycle.exception=true
  deployment.trace=true
  deployment.javaws.viewer.bounds=323,144,720,360
  deployment.javaws.autodownload=NEVER
  deployment.version=6.0
  deployment.browser.path=C\:\\Program Files (x86)\\Internet Explorer\\iexplore.exe
  deployment.security.mixcode=HIDE_RUN
  deployment.log=true
  deployment.console.startup.mode=SHOW
  deployment.capture.mime.types=true
  #Java Deployment jre's
  #Fri Sep 28 14:09:24 PDT 2012
  deployment.javaws.jre.0.registered=true
  deployment.javaws.jre.0.platform=1.6
  deployment.javaws.jre.0.osname=Windows
  deployment.javaws.jre.0.path=C\:\\Program Files (x86)\\Java\\jre6\\bin\\javaw.exe
  deployment.javaws.jre.0.product=1.6.0_33
  deployment.javaws.jre.0.osarch=x86
  deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
  deployment.javaws.jre.0.enabled=false
  deployment.javaws.jre.0.args=
  deployment.javaws.jre.1.enabled=true
  deployment.javaws.jre.1.registered=true
  deployment.javaws.jre.1.osname=Windows
  deployment.javaws.jre.1.location=http\\\://java.sun.com/products/autodl/j2se
  deployment.javaws.jre.1.osarch=x86
  deployment.javaws.jre.1.path=C\:\\Portal\\dist\\java\\jre6\\bin\\javaw.exe
  deployment.javaws.jre.1.platform=1.6
  deployment.javaws.jre.1.product=1.6.0_29
  Note: The reason not to use most recent version of Java is the necessity to test the third party application prior to deployment of a new Java version and since I do not control when a new version of Java is deployed and enabled to our machines, I am required to find an transparent solution. I understand the security issues by doing so, but the time between testing and acceptance of a new Java version for our application is within an acceptable timeframe. On exiting the application, I would restore the JRE settings and restore previous settings, to minimize the exposure of a potential security risk. Also any manual configurations are trying to be avoided as to maintain transparency to the user.

  I'm having a similar problem and I think it is related with this.
  If, after a Java--->Javascript call, a Javascript--->Java call isn't made soon after the first, it works. But, if the Java--->Javascript call triggers a Javascript--->Java call, any Java--->Javascript call that is made after that doesn't reach Javascript :/
  I have a method that handles the Java--->Javascript calls and goes something like this:
  System.out.println("Calling Javascript...");
  JSObject win = JSObject.getWindow(this);
  win.call(jsEventHandler, new Object[] { json.toString() });
  System.out.println("Done.");I further found out that, after looking at the Java debug console in the scenario where a Java--->Javascript call triggers a Javascript--->Java call, only after this last method returns is the "Done" message printed, even though the respective Javascript call was already invoked.
  Could you explain in more detail the queue based solution you found? Any other ideas?
  Regards,
  Andr&eacute; Tavares.