I have Java7 update 45. I am testing a small test applet packaged in a jar file that I am trying to load via an HTML page as:
<html>
<body>
<applet code="SmallApplet" archive="appTable89Signed.jar" codebase="." width=500 height=500>
<param name="permissions" value="all-permissions" />
</applet>
</body>
</html>
The jar file manifest has the Permission attribute and its value is "all-permissions". When I sign the jar file with a certified key, I get the ClassNotFoundException
. Looking at tomcat access log as well as out from Java Console, I see the SmallApplet
class is being loaded from the web application URL.
network: Connecting http://xxxxxx:8085/testappletsigning/SmallApplet.class with proxy=DIRECT
Followed by the exception
java.lang.ClassNotFoundException: SmallApplet
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
basic: load: class SmallApplet not found
If I use a self-signed and import it as a trusted certificate then the exception disappears.
The only way I can use a certified key to sign a jar, appears to be by using "sandbox" permissions both in the jar manifest and the applet tag.
Is there an explanation for this behavior?
OP- I had a similar issue with a .jar that had a signature in it. Over the last few months java security has become a major PITA with everything needing to be exactly right. In my case I had number of .jar files, some had signatures in them, others didn't. I created a code signing cert for my domain, then wrote a .bat file to strip out the META-INF folder (which contains the manifest file and signatures for the .class files), re-jar the files then sign them. Mine would not work unless I added the lines below (using jar umf change.txt, change.txt being the five lines I have listed below)
The first thing (which you have probably already tested, but I will say it anyway) is that you will need to trust the cert.
But I think your problem is that you need to add additional lines to the manifest file (before you sign it!). I added these lines to my manifest, signed it using jarsigner and then it worked fine.
Codebase: *
Permissions: all-permissions
Application-Library-Allowable-Codebase: *
Caller-Allowable-Codebase: *
Application-Name: <my app name>
I'm not a Java programmer, so I'm not completely 100% sure why each is needed. But from what I can tell, Java security knows where you called the .jar file from, and if there is a class outside that it won't call it because it exists outside the .jar. By adding the codebase parameters, it says trust anything. You can change it to a specific web address (such as http/https://) to lock it down more specifically.
Hope this helps.
I had a similar issue when switching from one code signing certificate to another one from a different CA. I signed the exact same jar with the new certificate and when loading the Applet I got a ClassNotFoundException
.
The Manifest contained the following security related attributes:
Application-Name: <app name>
Permissions: all-permissions
Codebase: *
I finally got it to work after I added the following attribute:
Trusted-Library: true
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.