动态将jar文件加载到ClassPath-HTTPS url?
[英]Load jar file dynamically to ClassPath - HTTPS url ?
问题描述
I am having a problem here since ytday in fact. 
实际上,自从昨天以来,我在这里遇到了问题。 I am trying to load a jar file dynamically at runtime over https url - and i can't figure out how to exactly do it. 我试图在运行时通过https url动态加载jar文件-我不知道如何确切地做到这一点。 I am able to load the jar over standard http: url but not when using https: 我可以通过标准的http:网址加载jar,但使用https时无法加载:
public void addURL(URL https) throws IOException {
HttpsURLConnection conn = (HttpsURLConnection) https.openConnection();
Class<?>[] parameters = new Class[]{URL.class};
log.info("https url : " + https);
// IMPORTANT: MUST use the webapp classloader - so derived extension classes car esolve their base classes
ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
// cast to a URL class loader so we can additional JAR(s) to the search path
URLClassLoader webappClassLoader = (URLClassLoader)contextClassLoader;
Class<?> sysclass = URLClassLoader.class;
Method method;
try {
method = sysclass.getDeclaredMethod("addURL", parameters);
method.setAccessible(true);
method.invoke(webappClassLoader, new Object[]{ https });
} catch (NoSuchMethodException | SecurityException e) {
e.printStackTrace();
} catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
e.printStackTrace();
}
}
Help much appreciated :) in pointing / showing me where or what to add etc. 帮助非常感谢:)指出/显示我在哪里或添加什么内容等。
1 个解决方案
解决方案1
1 已采纳 2014-05-07 10:14:26
Since you are dealing with Secure Connections, you are stepping into the area of Certificates. 由于您正在处理安全连接,因此您将进入“证书”区域。
Java thinks that your Server is not trusted. Java认为您的服务器不受信任。 You could understand that from the stack traces. 您可以从堆栈跟踪中了解这一点。
You have two choices here. 您在这里有两个选择。 You can let your program to ignore the Certificate Validation. 您可以让程序忽略证书验证。 You will need to execute this code only once before you call addURL. 在调用addURL之前,只需执行一次此代码。
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import javax.net.ssl.*;
private TrustManager[] getBypassingTrustManager()
{
TrustManager[] certs = new TrustManager[]
{
new X509TrustManager()
{
public X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String t)
{
}
public void checkServerTrusted(X509Certificate[] certs, String t)
{
}
}
};
return certs;
}
SSLContext sslCtx = SSLContext.getInstance("SSL");
TrustManager trustManager[] = getBypassingTrustManager();
sslCtx.init(null, trustManager, new SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sslCtx.getSocketFactory());
The above approach is not great in the sense of Security. 从安全的角度来看,上述方法不是很好。 Far better if you learn how Java Keystores work (java.security.KeyStore). 如果您了解Java密钥库的工作方式(java.security.KeyStore),那就更好了。 Instead of ignoring Certificate Validation, you can keep the Certificate from your Server in a Keystore file. 可以不忽略证书验证,而可以将服务器中的证书保留在密钥库文件中。 Your application can then load your keystore, which makes Java trusting your Servers. 然后,您的应用程序可以加载您的密钥库,这使Java信任您的服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.