We're having difficulties getting past the mixed code error for Java webstart. In summary, we have our main JNLP file, we've signed all of our code that it loads directly. We've added the all-permissions option to the main JNLP. The main class it loads also comes from a signed jar.
我们在克服Java webstart的混合代码错误时遇到了困难。总之,我们有我们的主要JNLP文件,我们已经签署了它直接加载的所有代码。我们已将all-permissions选项添加到主JNLP中。它加载的主类也来自一个签名的jar。
When the main class kicks off a little down the road it fires off some things that need to load some unsigned resources that are pulled in from JNLP B. None of JNLP B's resources are signed and they do not need any special permissions.
当主要类开始时,它会触发一些需要加载从JNLP B中提取的未签名资源的东西。没有JNLP B的资源被签名且它们不需要任何特殊权限。
All of the signed code has been setup based on the mixed code documentation from Oracle and the jar files have been set with manifests of "Trusted-Library: true" before signing.
所有已签名的代码都是基于Oracle的混合代码文档设置的,并且jar文件在签名之前已经设置了“Trusted-Library:true”的清单。
When the unsigned code is attempted to be loaded by the signed code we get a class not found error like so:
当尝试通过签名代码加载未签名的代码时,我们得到一个类未找到错误,如下所示:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoClassDefFoundError: org/some/external/package/that/is/not/signed
at org.our.signed.package.main(Main.java:87)
... 9 more
Caused by: java.lang.ClassNotFoundException: org.some.external.package.that.is.not.signed
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 10 more
Here's the scenario in the JNLP's:
以下是JNLP中的情景:
JNLP A: (summarized)
JNLP答:(总结)
<jnlp spec="1.5+" codebase="...." href="......">
<information>
...etc
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.6+" initial-heap-size="80m" max-heap-size="256m" href="http://java.sun.com/products/autodl/j2se"/>
<jar href="signedJar_1.jar" download="eager" main="true"/>
<jar href="signedJar_2.jar" download="eager" main="false"/>
<extension name="unsigned_ext" href="unsigned.jnlp"/>
</resources>
<application-desc main-class="(FROM SIGNED CLASS in signedJar_1.jar)"/>
</jnlp>
JNLP B (the unsigned.jnlp loader)
JNLP B(unsigned.jnlp加载器)
<jnlp spec="1.5+" codebase="....." href="......">
<information>
...etc
</information>
<resources>
<jar href="unsigned.jar"/>
</resources>
<component-desc/>
</jnlp>
We have noted that the security exceptions are working correctly, because if we move the unsigned jar into the the JNLP that has all-permissions and has signed jars, we get the expected security exceptions that Java won't let us mix the signed code with Trusted-Library: true and unsigned code with no manifest attributes.
我们已经注意到安全异常正常工作,因为如果我们将未签名的jar移动到具有所有权限并且已经签署了jar的JNLP中,我们就会获得Java不会让签名代码与之混合的预期安全异常。 Trusted-Library:没有清单属性的true和unsigned代码。
Ideas? Is there a reason the classloader can't find the java files from the unsigned code? Is there something special we are missing to allow signed code to run unsigned code? I've only seen the cases where people have problems getting unsigned code to run signed code, which I can understand.
想法?有没有理由类加载器无法从无符号代码中找到java文件?我们缺少一些特殊的东西来允许签名代码运行未签名的代码吗?我只看到了人们在使用未签名的代码运行签名代码时遇到问题的情况,我可以理解。
1 个解决方案
#1
5
The trusted-library class loader is a parent (in the sense of class loader delegation) of the (possibly untrusted) applet class loader. Think of it as if it is the boot class loader. So the untrusted classes can link to the trusted-library classes but not vice versa. Without going to the bother of altering manifests and using WebStart you can try this stuff out by adding your trusted class with -Xbootclasspath/a:
and your untrusted classes with -classpath
(this is how the feature was tried out before it was implemented).
可信库类加载器是(可能是不可信的)applet类加载器的父(在类加载器委托的意义上)。可以把它想象成是引导类加载器。因此,不受信任的类可以链接到受信任的库类,但反之亦然。无需更改清单和使用WebStart,您可以通过添加带有-Xbootclasspath / a的可信类和使用-classpath的不受信任的类来尝试这些内容(这是在实现之前测试该功能的方式)。
JNLPAppletLauncher
is an example of how to have trusted-libraries invoke applet code. The applet class loader can be obtained with Thread.currentThread().getContextClassLoader()
, and it's just reflection from there. Writing safe trusted library code is tricky. Remember, you can't trust untrusted code.
JNLPAppletLauncher是如何让受信任库调用applet代码的示例。可以使用Thread.currentThread()。getContextClassLoader()获取applet类加载器,它只是从那里反射出来的。编写安全的可信库代码很棘手。请记住,您不能信任不受信任的代码。
#1
5
The trusted-library class loader is a parent (in the sense of class loader delegation) of the (possibly untrusted) applet class loader. Think of it as if it is the boot class loader. So the untrusted classes can link to the trusted-library classes but not vice versa. Without going to the bother of altering manifests and using WebStart you can try this stuff out by adding your trusted class with -Xbootclasspath/a:
and your untrusted classes with -classpath
(this is how the feature was tried out before it was implemented).
可信库类加载器是(可能是不可信的)applet类加载器的父(在类加载器委托的意义上)。可以把它想象成是引导类加载器。因此,不受信任的类可以链接到受信任的库类,但反之亦然。无需更改清单和使用WebStart,您可以通过添加带有-Xbootclasspath / a的可信类和使用-classpath的不受信任的类来尝试这些内容(这是在实现之前测试该功能的方式)。
JNLPAppletLauncher
is an example of how to have trusted-libraries invoke applet code. The applet class loader can be obtained with Thread.currentThread().getContextClassLoader()
, and it's just reflection from there. Writing safe trusted library code is tricky. Remember, you can't trust untrusted code.
JNLPAppletLauncher是如何让受信任库调用applet代码的示例。可以使用Thread.currentThread()。getContextClassLoader()获取applet类加载器,它只是从那里反射出来的。编写安全的可信库代码很棘手。请记住,您不能信任不受信任的代码。