验证Jar中的Java类
[英]Validate Java Classes Inside Jar
问题描述
Java class files inside jars can be easily replaced and modified. 
jars中的Java类文件可以轻松替换和修改。 For instance, the following command can be used to replace a compiled class file within a jar: 例如,以下命令可用于替换jar中的已编译类文件:
jar uf JarFile.jar com\something\Class.class
If the class file was replaced with a file such that no dependencies were broken, then the code is still able to execute. 如果将类文件替换为没有破坏任何依赖关系的文件,则该代码仍然可以执行。 The same happens with class files that are not inside jars. 不在jar中的类文件也会发生同样的情况。
Is there any way to validate a set of class files (whether inside a jar or not) to see if all their dependencies are present and not broken? 有什么方法可以验证一组类文件(无论是否在jar中),以查看其所有依赖项是否存在并且没有损坏?
I do not want to prevent class files from being modified but rather to be able to verify that changes are valid (with respect to dependencies). 我不想阻止类文件被修改,而是希望能够验证更改是否有效(关于依赖项)。 The compiler does this check (dependency-check) at compile time, but once the classes are compiled, how can one verify the class files themselves? 编译器在编译时执行此检查(依赖项检查),但是一旦编译了类,如何才能验证类文件本身?
3 个解决方案
解决方案1
0 2012-07-17 23:00:19
You might have sealing and signing JARs in mind. 您可能会想到加盖和签名 JAR。
Update: 更新:
Apparently I've missed the mark with my first guess. 显然我第一次猜错了。
What do you plan to do if they're not? 如果没有,您打算怎么办? If they're a 3rd party, I'd say that you've got little choice besides reporting to the bug database that the download is bad. 如果他们是第三方,我想说的是除了向错误数据库报告下载错误之外,您别无选择。
If you mean "I want to make sure that all their 3rd party JAR dependencies are correct", you've got a much bigger problem. 如果您的意思是“我想确保他们所有的第三方JAR依赖关系都正确”,那么您遇到的问题要大得多。 Most downloads that I know of (eg Spring) make dependencies available using Maven. 我知道的大多数下载内容(例如Spring)都使用Maven使依赖项可用。 That's the best you can do. 那是你所能做的最好的。
If you mean you want to check your own dependencies, I'd say that testing would reveal any errors you've made. 如果您是想检查自己的依赖关系,那我想说测试将揭示您所犯的所有错误。
解决方案2
-1 2012-07-18 00:00:28
no, you cannot. 你不能。
at least: not really. 至少:不是真的。 the problem is that java loads classes at runtime only when needed. 问题是Java仅在需要时才在运行时加载类。 so eventually it might be alright to remove a class from the jar file and as long as no code referencing that class is executed things run very smoothly. 因此,最终可以从jar文件中删除一个类,并且只要没有执行任何引用该类的代码,事情运行就非常顺利。
consider this example: 考虑以下示例:
class A{ public static void main( String args[] ){ out.println( "hello" ); } }
class B{}
compile this, put it in a jar, remove the B.class from it, no problem there :) 编译它,将它放在一个罐子里,从中删除B.class,没有问题:)
now you might think you can go through each .class file, check what classes it references and see if the files are all there. 现在您可能会认为可以遍历每个.class文件,检查它引用了哪些类,并查看文件是否全部存在。 not only is this painful, it is also incomplete. 这不仅痛苦,而且也不完整。 you will never quite catch files loaded with reflection because their class names might be constructed just at runtime. 您永远不会完全捕获装载有反射的文件,因为它们的类名可能只是在运行时构造的。
my advice: don't go there. 我的建议:不要去那里。 if someone removes a class file it's their own fault. 如果有人删除了一个类文件,那是他们自己的错。 the best thing you can do is (but only if this really really worries you) try to catch ClassNotFoundException s at runtime (look into thread.setUncaughtExceptionHandler) 最好的办法是(但仅在确实让您担心的情况下)尝试在运行时捕获ClassNotFoundException (查看thread.setUncaughtExceptionHandler)
解决方案3
-1 已采纳 2012-07-18 03:26:02
只需加载该类即可确保这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.