如何避免applet“你想运行这个应用程序吗?”弹出消息
[英]How to avoid applets “Do you want to run this application?” pop-up message
问题描述
Recently we had to upgrade to Java JRE to 1.8.0_201 for an old web application using a single signed Applet. 
最近,我们不得不使用单个签名的Applet将Java JRE升级到1.8.0_201以获取旧的Web应用程序。 Since then, on starting the applet the "Do you want to run this application?" 从那时起,在启动applet时,“你想运行这个应用程序吗?” pop-up window is shown with the detailed information "This application will run with unrestricted access which may put your computer and personal information at risk. Run this application if you trust the location and publisher above." 弹出窗口显示详细信息“此应用程序将以不受限制的访问方式运行,这可能会使您的计算机和个人信息面临风险。如果您信任上述位置和发布者,请运行此应用程序。”
According to this oracle article this is caused because the manifest does not contain the Permissions attribute. 根据这篇 oracle文章,这是因为清单不包含Permissions属性。 Validation shows that the MANIFEST.MF does contain the attribute. 验证显示MANIFEST.MF确实包含该属性。
Manifest-Version: 1.0
Application-Name: MyApplet
Implementation-Title: My Applet
Svn-Url:
Job-Name:
Implementation-Version: 3.12.0-SNAPSHOT
Build-Number:
Archiver-Version: Plexus Archiver
Built-By: username
Implementation-Vendor-Id: nl.myorg.myapplet
Application-Library-Allowable-Codebase: *.myorg.nl
localhost
127.0.0.1
Implementation-Vendor: My Organisation
Build-Tag: 3.12.0-SNAPSHOT
Caller-Allowable-Codebase: *.myorg.nl localhost 127.0.0.1
Permissions: sandbox
Codebase: *.myorg.nl localhost 127.0.0.1
Svn-Revision-LastChange:
Created-By: Apache Maven 3.1.1
Build-Jdk: 1.8.0_171
Svn-Revision:
I think this issue is related to Java Applet & Web Start - Code Signing . 我认为这个问题与Java Applet和Web Start - 代码签名有关 。 So i tried to run the applet in a sandbox to prevent the asking users for full permissions. 所以我试图在沙盒中运行applet以防止要求用户获得完全权限。
I added the <Permissions>sandbox</Permissions> entry to the applets manifest. 我在applets清单中添加了<Permissions>sandbox</Permissions>条目。
Changed the security settings in the applets jnlp from 更改了小程序jnlp中的安全设置
<security>
<all-permissions/>
</security>
to 至
<security>
<j2ee-application-client-permissions />
</security>
And added <PARAM name=permissions value=sandbox> to the <applet></applet> . 并将<PARAM name=permissions value=sandbox>到<applet></applet> 。
After making these changes a pop-up is shown with 'ExitException: The Java security settings have prevented this application from running. 进行这些更改后,弹出窗口显示为“ExitException:Java安全设置阻止此应用程序运行。 You may change this behaviour in the Java Control Panel.'. 您可以在Java控制面板中更改此行为。'
The Java Console does give some more details; Java控制台确实提供了一些更多细节;
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
java.lang.SecurityException: JAR manifest requested to run in sandbox only: http://localhost:8080/MyApplet/static/3.12.0-SNAPSHOT/applets/MyApplet.jar
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
basic: The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel.
basic: Dialog type is not candidate for embedding
Since the exception is thrown by DeployManifestChecker.verify could it be that there is an error in the jnlp file ? 由于DeployManifestChecker.verify抛出异常,可能是jnlp文件中有错误吗? If so how to determine what is wrong? 如果是这样如何判断出什么问题?
1 个解决方案
解决方案1
0 2019-05-21 08:10:24
Solution is by storing the public key of the applet certificate on a very specific way into the java trusted.certs in the user directory. 解决方案是将applet证书的公钥以非常特定的方式存储到用户目录中的java trusted.certs中。 The trusted.certs is located in \\Users{username}\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security. trusted.certs位于\\ Users {username} \\ AppData \\ LocalLow \\ Sun \\ Java \\ Deployment \\ security。
The certificate has to be loaded similar to the instruction below 必须按照以下说明加载证书
"\Program Files\Java\jre1.8.0_201\bin\keytool.exe" -import -alias deploymentusercert$tsflag$loc=http//localhost:8080##jnlp:http//localhost:8080##docbase:http//localhost:8080##from:http//localhost:8080java.util.random@1dc6cb9 -file D:\Desktop\APP-CERT.csr -keystore trusted.certs
The alias seems to be mis-used to store the associated location of the site and jnlp. 别名似乎被误用于存储站点和jnlp的关联位置。 The alias must have a heading of "deploymentusercert$tsflag$" and a java instance reference to java.util.random as tail text. 别名必须具有“deploymentusercert $ tsflag $”标题和java.util.random的java实例引用作为尾部文本。 Inbetween the properties loc, jnlp, docbase and from have to be specified, where the separator between loc and the value is '=' and for the others ':'. 在中间属性loc,jnlp,docbase和from必须指定,其中loc和值之间的分隔符是'=',而其他分隔符':'。
Only issue is that the keystore created through the Java Control Panel has no password. 唯一的问题是通过Java控制面板创建的密钥库没有密码。 When there is no existing trusted.certs before adding the applets certificate, you will have to write a small Java application or use another tool than keytool to create the keystore. 如果在添加applets证书之前没有现有的trusted.certs,则必须编写一个小型Java应用程序或使用除keytool之外的其他工具来创建密钥库。 This because keytool does not allow you to create a keystore without a password. 这是因为keytool不允许您在没有密码的情况下创建密钥库。 Or you could make the world a little bit safer by using a password protected java truststore :-D. 或者你可以通过使用受密码保护的java信任库来使世界变得更安全:-D。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.