堆栈内存溢出
  简体   繁体   English

你可以签署一个Java小程序,但是将它保存在沙箱中(不能让它完全访问用户的计算机)吗?

[英]Can you sign a Java applet but keep it in the sandbox (NOT give it full access to user's computer)?

 原文  2013-09-20 10:35:26       java/ security/ applet/ sandbox

问题描述

Thanks to Oracle's latest changes, it appears I have to sign an applet even though I don't need or want it to have unrestricted access to the user's computer (which is why its currently unsigned). 由于Oracle的最新更改,我似乎必须签署一个applet,即使我不需要或希望它可以无限制地访问用户的计算机(这就是它目前未签名的原因)。 In particular, I don't want the warning they show for signed applets: 特别是,我不希望他们为签名的applet显示警告:

This application will run with unrestricted access which may put your computer and personal information at risk. 此应用程序将以不受限制的访问方式运行,这可能会使您的计算机和个人信息面临风险。

...which will scare the people using it. ......这将吓唬人们使用它。

Is it possible to sign an applet but mark it in some way to say "but keep using the sandbox"? 是否有可能签署一个小程序,但以某种方式标记它说“但继续使用沙箱”?

The only reason I'm signing it is that as of Version 7, Update 40, Oracle has further increased the nagging users have to deal with when running unsigned applets. 我签署它的唯一原因是从版本7更新40开始,Oracle进一步增加了用户在运行未签名的applet时必须处理的唠叨。 It used to be that you could check a box saying you trusted an applet once, and that would be remembered. 过去,你可以检查一个信箱,说你曾经信任一个applet,那就会被记住。 As of Update 40, it's only remembered for that browser session; 从Update 40开始,它只记得该浏览器会话; the warning reappears if you close the browser and come back later. 如果您关闭浏览器并稍后返回,则会再次出现警告。 They've also said they're going to disable unsigned applets entirely in "a future version" of the Java plug-in. 他们还说他们将完全在Java插件的“未来版本”中禁用未签名的applet。

1 个解决方案

解决方案1
 17 已采纳  2013-09-25 16:47:34

Yes, you can. 是的你可以。 This page shows how to do it (well, most of it; you also need this page ). 此页面显示了如何执行此操作(嗯,大部分内容;您还需要此页面 )。 There are two main steps: 主要有两个步骤:

  1. Put the Permissions and Codebase attributes in your manifest file: PermissionsCodebase属性放在清单文件中: 

     Permissions: sandbox 权限:沙箱\nCodebase: *.myserver.com 代码库:* .myserver.com

    These new attributes were introduced in Java 7 Update 25 and are discussed here . 这些新属性在Java 7 Update 25中引入,并在此处讨论 The first page linked above just shows Codebase: myserver.com , but most sites are going to want the wildcard above. 上面链接的第一页只显示了Codebase: myserver.com ,但大多数网站都需要上面的通配符。 (I don't know if the Codebase attribute is required for sandboxing the applet, but it seems like a good idea for most signed applets anyway.) (我不知道沙盒化applet是否需要Codebase属性,但对于大多数已签名的applet来说似乎都是个好主意。)

    Then use that manifest file when building your jar, like: 然后在构建jar时使用该清单文件,例如: 

     jar cvfm YourJarFile.jar your_manifest_file.txt classes_and_such jar cvfm YourJarFile.jar your_manifest_file.txt classes_and_such

    Those attributes will wind up in the MANIFEST.MF file in the jar, which tells the Java runtime to keep the applet sandboxed. 这些属性将在jar中的MANIFEST.MF文件中结束,该文件告诉Java运行时将applet保持为沙盒。

  2. In your <applet> tag, you have to specify the permissions param, as discussed here : <applet>标记中,您必须指定permissions参数, 如下所述 

     <applet code='yourAppletClass' archive='YourJarFile.jar'> <applet code ='yourAppletClass'archive ='YourJarFile.jar'>\n    <param name="permissions" value="sandbox"> <param name =“permissions”value =“sandbox”>\n</applet> </ APPLET>

    Without this second step, a signed applet requesting sandboxed permissions in the jar but not the tag is prevented from being run with a dialog box titled "The Application Cannot Be Run" giving "Reason: JAR manifest requested to run in sandbox only." 如果没有第二步,则会阻止使用标题为“应用程序无法运行”的对话框运行请求jar中的沙盒权限而不是标记的签名小程序,并显示“原因:请求仅在沙箱中运行JAR清单”。

If you do both steps above, the user gets a much more reassuring message (and presumably the applet remains sandboxed): 如果您执行上述两个步骤,则用户会收到更令人放心的消息(并且可能是applet保持沙箱):

This application will run with limited access that is intended to protect your computer and personal information. 此应用程序将以有限的访问权限运行,旨在保护您的计算机和个人信息。

...and if they check the relevant checkbox trusting the publisher and location, they don't see it again when they next open their browser and run your applet. ...如果他们检查信任发布者和位置的相关复选框,他们在下次打开浏览器并运行您的小程序时就不会再看到它。

(In the course of asking this question, I found the answer, but since the answer wasn't on Stack Overflow I thought I'd go ahead and post the question and answer .) (在提出这个问题的过程中,我找到了答案,但由于答案不在Stack Overflow上,我以为我会继续发布问题和答案 。)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java小程序可以在我的计算机上访问什么网页? - What a webpage java applet can access on my computer? 如何正确签名我的Applet以访问计算机的COM端口? - How do I sign my Applet correctly to access the computer's COM Port? doPrivileged和java applet沙箱 - doPrivileged and java applet sandbox 如何在沙箱中执行Java Applet? - How to execute a Java Applet in the sandbox? 已签名的Java Applet无法访问本地文件系统 - Signed Java applet can not access local filesystem Java Applet无法访问文件 - Java Applet Can't Access Files Java Applet可以访问本地文件系统吗 - Can a Java Applet Access Local File System 计算机与计算机循环Java小程序 - Computer Vs Computer Loop Java Applet 是否可以免费签署一个Java小程序? - Is it possible to sign a java applet for free? 使用多个证书签署Java Applet - Sign a java applet with multiple certificates
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM