如何通过 JNLP 传递其值可能更改为已签名 Java RIA (applet, webstart) 的任意系统属性?
[英]How can I pass arbitrary system properties whose values may change to a signed Java RIA (applet, webstart) via JNLP?
问题描述
Due to tighter security restrictions in 7u51 , due in January, I'm trying to sign my JNLP file.
由于7u51中更严格的安全限制,将于 1 月到期,我正在尝试签署我的 JNLP 文件。
Our application requires certain custom system properties to be set, and the values of some of those properties are different depending on where the applet is being deployed.我们的应用程序需要设置某些自定义系统属性,其中一些属性的值会根据小程序的部署位置而有所不同。 I would like to avoid having to re-sign the JAR containing the JNLP template for each deployment.我想避免为每个部署重新签署包含 JNLP 模板的 JAR。
The naive approach of putting <property name="my-prop" value="*"/> in the JNLP template does not work.将<property name="my-prop" value="*"/>放入 JNLP 模板的幼稚方法不起作用。
Even with <property name="my-prop" value="fixed-value"/> in the template, I sometimes get a dialog saying "This application is going to perform an insecure operation. Do you want to continue?":即使在模板中使用<property name="my-prop" value="fixed-value"/> ,我有时也会收到一个对话框,提示“此应用程序将执行不安全的操作。您要继续吗?”:
What's the right way to pass system properties in to a signed Java RIA?将系统属性传递给已签名的 Java RIA 的正确方法是什么?
2 个解决方案
解决方案1
6 已采纳 2013-12-06 17:46:41
On both counts, your application will need to add some trivial code to be executed at start-up, in order to work around these two issues. 在这两个方面,您的应用程序将需要添加一些在启动时执行的简单代码,以解决这两个问题。
Wildcards Not Allowed in Property Values 属性值中不允许使用通配符
The JNLP specification says: JNLP规范说:
It is expected that a JNLP Client will blacklist (or restrict) certain jnlp elements and argument values such as "java-vm-args" or property "name" and "value" to maintain security.
In fact, the Oracle implementation (at least in 7u45) does blacklist the value attribute of the <property/> element -- it cannot be wildcarded. 事实上,Oracle实现(至少在7u45中)确实将<property/>元素的value属性列入黑名单 - 它不能是通配符。 I've been unable to locate any reasoning behind this decision, but there it is. 我一直无法找到这个决定背后的任何推理,但事实确实如此。
The webstart work-around allows arbitrary property names as well as values; webstart解决方法允许任意属性名称和值; the applet work-around requires that the names of the properties be known at code-signing time. applet解决方法要求在代码签名时知道属性的名称。
Work-around: Webstart 解决方法:Webstart
In your JNLP file, include a number of wildcard arguments: 在JNLP文件中,包含许多通配符参数:
<application-desc main-class="com.example.YourMainClass">
<argument>*</argument>
<argument>*</argument>
</application-desc>
In your application's main method, parse these arguments and copy them in to system properties using System.setProperty() , skipping over arguments that still have the literal value "*" . 在应用程序的main方法中,解析这些参数并使用System.setProperty()将它们复制到系统属性中,跳过仍具有文字值"*" 。 I recommend simply splitting each argument on the first occurrence of "=" . 我建议在第一次出现的"="简单地拆分每个参数。 (If your application already takes regular arguments as well, you'll have to get a bit more creative.) (如果您的应用程序已经采用了常规参数,则必须更具创造性。)
Work-around: Applet 解决方法:Applet
In your JNLP file, include parameters defining the system properties that need to be set: 在JNLP文件中,包含定义需要设置的系统属性的参数:
<applet-desc main-class="com.example.YourMainClassApplet">
<param name="SYS_PROPERTY_PARAMETERS" value="prop1,prop2"/>
<param name="prop1" value="*"/>
<param name="prop2" value="*"/>
</applet-desc>
In your Applet.init() method, get the value of the SYS_PROPERTY_PARAMETERS parameter, and iterate over it to get the value of each parameter. 在Applet.init()方法中,获取SYS_PROPERTY_PARAMETERS参数的值,并对其进行迭代以获取每个参数的值。 If it is not the literal "*" , copy it to a system property using System.setProperty() . 如果它不是文字"*" ,请使用System.setProperty()将其复制到系统属性。
"Insecure Operation" dialog “不安全操作”对话框
This is a bug in the Oracle plugin that is triggered by the use of LiveConnect (Java <-> JavaScript interaction). 这是Oracle插件中的一个错误 ,它由使用LiveConnect(Java < - > JavaScript交互)触发。
Work-around: "secure" property prefixes 解决方法:“安全”属性前缀
Prefix all system properties set via <property/> elements in the JNLP with "jnlp." 使用"jnlp."在JNLP中通过<property/>元素设置所有系统属性的前缀"jnlp." : :
<property name="jnlp.my-prop" value="fixed-value"/>
Then in your application's main() or Applet.init() method, iterate over a copy of System.getProperties() and, if the property name starts with "jnlp." 然后在应用程序的main()或Applet.init()方法中,迭代System.getProperties()的副本 ,如果属性名称以"jnlp."开头"jnlp." , copy its value into a property of the same name with that prefix stripped off. ,将其值复制到具有相同名称的属性中,并删除该前缀。 (Iterating over the copy is necessary to avoid a ConcurrentModificationException .) (为避免ConcurrentModificationException必须迭代副本。)
Gotcha: JNLP template validator considers order of XML attributes 问题:JNLP模板验证器考虑XML属性的顺序
Finally, if your process of filling in the values for the properties could cause attributes of other elements in the JNLP document to be reordered, this may cause the JNLP template validation to fail. 最后,如果填充属性值的过程可能导致JNLP文档中其他元素的属性重新排序,则可能导致JNLP模板验证失败。 (Parsing the JNLP with a DOM parser, filling in the wildcards, and streaming it back out using StreamResult is one way this could happen.) For example, I had these two multi-attribute elements, and the order of the elements had to match: (使用DOM解析器解析JNLP,填充通配符,然后使用StreamResult将其流回来是可能发生的一种方式。)例如,我有这两个多属性元素,并且元素的顺序必须匹配:
<jnlp codebase="*" spec="1.0+">
<j2se java-vm-args="-Xms256M -Xmx512M -XX:MaxPermSize=256m" version="1.6+"/>
解决方案2
0 2022-08-04 08:21:47
This was a bug in Oracle Java.这是 Oracle Java 中的一个错误。 According to this bug report it should be fixed in version 9.根据这个错误报告,它应该在版本 9 中得到修复。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.