从JRE 1.6.0_19开始的Java JRE混合代码安全性
[英]Java JRE Mixed Code Security, starting with JRE 1.6.0_19
问题描述
Java JRE混合代码安全性,从JRE 1.6.0_19开始,大约在2010年左右,使用JDK / JRE 1.6.0_12实现了一个主要的jar Java Applet; 主jar和第三方jar已签名,一切正常。 主jar java applet和第三方jar在JRE 1.6.0_12至JRE 1.6.0_18上均可正常使用。
但是,随着从JRE 1.6.0_19开始引入混合代码安全性,除非禁用了混合代码安全性,否则主jar将不会从JRE 11.6.0_27启动。
我们将JRE从1.6.0_12升级到更新27。我正在尝试解决此问题,即,在启用混合代码安全性时,允许启动签名的主jar Java applet和签名的第三方jar。
我有一个具有Java Applet源代码的主jar和该主jar使用的几个第三方jar。 例如,activation.jar,log4j-1.2.13.jar,ojdbc14.jar等。
在JDK 1.6.0_27中使用keytool.exe创建了一个新的密钥库,该密钥库具有Java小程序的私钥/公钥对。 在JDK 1.6.0_27中使用jarsigner.exe,我用私钥成功签名了主jar和所有第三方jar; 每个jar都有一个签名文件.SF和一个签名块文件.DSA(数字签名算法)。 我导出了用于验证签名罐子的公共密钥。
Java Applet和第三方jar位于Web应用程序的webcontent / applet目录中,当使用Web应用程序启动applet时,主jar和第三方jar将下载到用户的计算机中。 数字签名部分工作正常,当禁用JRE混合代码安全性时,Java小程序能够启动并成功工作。 启用时,这仍不能解决混合代码安全性。
我尝试将主jar部署为“仅受信任”和“受信任的库”。 在启用混合代码安全性的两种情况下,主jar Java Applets无法启动,我得到了不同的异常,但结果相同。
Trusted-Only :: Mixed Code Enable
.........................
cache: Mark prevalidated: http://hostname:port/path/main.jar true tm=numbers cert=numbers
security: http://hostname:port/path/main.jar is newly asserting Trusted-Only
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
.........................
.........................
network: Cache entry not found [url: http://hostname:port/path/StatLib.jar, version: null]
network: Connecting http://hostname:port/path/StatLib.jar with proxy=DIRECT
network: Connecting http://hostname:port/ with proxy=DIRECT
network: Connecting http://hostname:port/path/StatLib.jar with cookie "CheckboxChecked=Y; JSESSIONID=j_session_id"
network: CleanupThread used 1 us
network: Downloading resource: http://hostname:port/path/StatLib.jar
Content-Length: 62,219
Content-Encoding: null
network: Wrote URL http://hostname:port/path/StatLib.jar to File C:\path\LocalLow\Sun\Java\Deployment\cache\6.0\24\167b0298-1365f142-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
cache: Adding MemoryCache entry: http://hostname:port/path/StatLib.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called
basic: Plugin2ClassLoader.isTrustedByPolicy returns false
security: resource name "com/name/statistics/lib/I_Dispatch.class" in http://hostname:port/path/StatLib.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/StatLib.jar
04/01/2013 16:58:41,588 - [FATAL Thread-15 com.lfg.name.JavaObjectName.init(JavaName.java:193)] - Error in Method() java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/StatLib.jar
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
.... Java Applet is calling and loading a class in a third party jar that I signed but for some reason is been treated as unsigned ....
.......................
network: Cache entry not found [url: http://hostname:port/path/ojdbc14.jar, version: null]
network: Connecting http://hostname:port/path/ojdbc14.jar with proxy=DIRECT
network: Connecting http://hostname:port/ with proxy=DIRECT
network: Connecting http://hostname:port/path/ojdbc14.jar with cookie "CheckboxChecked=Y; JSESSIONID=j_session_id"
network: CleanupThread used 1 us
network: Downloading resource: http://hostname:port/path/ojdbc14.jar
Content-Length: 1,448,790
Content-Encoding: null
network: Wrote URL http://hostname:port/path/ojdbc14.jar to File C:\path\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\534fe7f3-21a4d4ae-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
network: CleanupThread used 1 us
cache: Adding MemoryCache entry: http://hostname:port/path/ojdbc14.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called
basic: Plugin2ClassLoader.isTrustedByPolicy returns false
security: resource name "oracle/jdbc/driver/OracleDriver.class" in http://hostname:port/path/ojdbc14.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/ojdbc14.jar
java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/ojdbc14.jar
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
..... java applet is loaded a java class in a third party jar that was signed, but is been treated as untrusted.....
Trusted-Library :: Mixed Code Enable
..............................
cache: Mark prevalidated: http://hostname:port/path/main.jar true tm=numbers cert=numbers
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: exception: java.lang.NoClassDefFoundError: org/apache/log4j/Logger.
java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.instantiateApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
at com.path.MainClassApplet.init(MainClassApplet.java:line_number)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter$1.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$200(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 27 more
Ignored exception: java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
basic: Dialog type is not candidate for embedding
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@40ab5b6c
security: Reset deny session certificate store
主jar applet(Rich Internet Application)是使用JavaServer Pages文件(HTML页面)中带有html标记的JavaScript代码调用的。
据我了解,JavaScript代码被视为未签名的代码。 当从HTML页面中的JavaScript代码访问签名的小程序时,将在安全沙箱中执行签名的小程序。 这意味着已签名的小程序本质上的行为类似于未签名的小程序。
我正在辩论是否应该将JNLP与Deployment Tookit(deployJava.js)一起使用来部署小程序,或者是否应该在主JAR文件的清单文件中的主JAR文件的类路径中添加类; 其清单引用了一个不同的JAR文件(或几个不同的JAR文件),这些文件用作我的applet的实用程序。
关于如何解决此混合代码问题的任何想法吗?
请指教,谢谢。
1 个解决方案
解决方案1
0 2013-04-18 15:58:33
我可以确认问题出在最近的JRE。 从JS调用到Java将给您“混合代码警告”。 无论您如何签名或包括或不包括哪个库。 因此,以上注释不成立或不再成立(在最新的JRE升级之后,我正在使用1.7.0_21)。
但幸运的是,仍然允许从Java do javascript调用而不会出现问题,因此,针对这种问题的解决方案是实现从applet轮询的逗号队列,如下所示:
1)将对applet方法的每次调用包装在“请求对象”中,并将其放入队列中,例如:
var jobQueue = [];
function hello(message) {
request = {
cmd:"hello",
arg:"Jack",
callback:function(result) {
alert("I'm saying "+result);
}
}
jobQueue.push(request);
}
2)创建一个要从小程序调用的方法来获得工作:
function fetchJob(){
if (jobQueue.length>0) {
return jobQueue.shift();
}
}
3)小程序启动时,产生一个线程或计时器,该线程或计时器将每X毫秒调用一次函数fetchJob 。 当函数返回非空请求时,小程序可以执行。 该请求甚至可以带有一个回调(如上例所示)以返回结果
就这样。 但是要当心:如果使用回调返回结果,请当心不要返回本机对象以外的任何东西,否则您将再次收到混合代码警告。 即使是字符串数组也不起作用。 如果需要创建更复杂的结果,则需要使用liveconnect API回调到javascript,并从Java Applet创建本机JS对象,然后使用该回调来调用回调。
祝好运!
没有模块化代码的“Essential”(Jigsawed)Java 9 JRE
[英]“Essential” (Jigsawed) Java 9 JRE without modularized code
未绑定的类路径容器:项目中的'JRE系统库[Java SE 6 [1.6.0_65-b14-462]]'
[英]Unbound classpath container: 'JRE System Library [Java SE 6 [1.6.0_65-b14-462]]' in project
对于没有管理员权限的用户,JRE 1.6.0_13的Java Web Start在XP上不起作用
[英]Java Web Start of JRE 1.6.0_13 is not working on XP for user who does not have Admin privileges
jnlp文件提示Mac下载JRE,但已安装(Java 1.6.0_37)Mac OSX 10.7.5
[英]jnlp file is prompting mac to download JRE, but its already installed (Java 1.6.0_37) Mac OSX 10.7.5
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
错误:此应用程序需要 jre 1.6.0
jre1.6.0_27 HashMap values()源代码
Java(JRE)版本与已编译代码的兼容性
从java代码设置JRE变量
修复Java代码中的JRE错误并重新编译应用程序
没有模块化代码的“Essential”(Jigsawed)Java 9 JRE
通过Java代码将文件放入jre bin
未绑定的类路径容器:项目中的'JRE系统库[Java SE 6 [1.6.0_65-b14-462]]'
对于没有管理员权限的用户,JRE 1.6.0_13的Java Web Start在XP上不起作用
jnlp文件提示Mac下载JRE,但已安装(Java 1.6.0_37)Mac OSX 10.7.5
相关标签