Java JRE混合代码安全性,从JRE 1.6.0_19开始

时间:2013-04-02 22:08:11

标签: java java-6 mixed-code

Java JRE混合代码安全性,从JRE 1.6.0_19开始,然后打开 最初在2010年左右,使用JDK / JRE 1.6.0_12实现,构建和部署主jar Java Applet;主罐和第三方罐子签了,一切正常。主jar jar小程序和第三方jar通过JRE 1.6.0_12到JRE 1.6.0_18可以正常工作。

然而,随着从JRE 1.6.0_19开始引入混合代码安全性,除非禁用混合代码安全性,否则主jar将不会与JRE 11.6.0_27一起启动。
我们正在从1.6移动我们的JRE .0_12更新27.我正在尝试修复此问题,即允许在启用混合代码安全性时启用已签名的主jar Java小程序和已签名的第三方jar。

我有一个主jar,它有Java Applet源代码和几个主jar使用的第三方jar;例如,activation.jar,log4j-1.2.13.jar,ojdbc14.jar等。

在JDK 1.6.0_27中使用keytool.exe我创建了一个新的密钥库,它具有Java applet的私钥/公钥对。在JDK 1.6.0_27中使用jarsigner.exe我使用私钥成功签署了主jar和所有第三方jar;每个jar都有一个签名文件.SF和一个签名块文件.DSA(数字签名算法)。我导出了用于验证签名罐子的公钥。

Java Applet和第三方jar在web应用程序的webcontent / applet目录中,当使用Web应用程序启动applet时,主jar和第三方jar被下载到用户的计算机中。数字签名部分工作正常,Java applet能够在禁用JRE混合代码安全性时成功启动和工作。启用时,这仍然无法解决混合代码安全问题。

我尝试将主jar部署为Trusted-Only和Trusted-Library。在启用混合代码安全性的两种情况下,主jar Java Applets无法启动,我得到不同的异常,但结果相同。

Trusted-Only :: Mixed Code Enable
.........................
cache: Mark prevalidated: http://hostname:port/path/main.jar true tm=numbers cert=numbers
security: http://hostname:port/path/main.jar is newly asserting Trusted-Only
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
.........................
.........................
network: Cache entry not found [url: http://hostname:port/path/StatLib.jar, version:     null]
network: Connecting http://hostname:port/path/StatLib.jar with proxy=DIRECT
network: Connecting http://hostname:port/ with proxy=DIRECT
network: Connecting http://hostname:port/path/StatLib.jar with cookie     "CheckboxChecked=Y; JSESSIONID=j_session_id"
network: CleanupThread used 1 us
network: Downloading resource: http://hostname:port/path/StatLib.jar
Content-Length: 62,219
Content-Encoding: null
network: Wrote URL http://hostname:port/path/StatLib.jar to File C:\path\LocalLow\Sun\Java\Deployment\cache\6.0\24\167b0298-1365f142-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
cache: Adding MemoryCache entry: http://hostname:port/path/StatLib.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called 
basic: Plugin2ClassLoader.isTrustedByPolicy returns false 
security: resource name "com/name/statistics/lib/I_Dispatch.class" in     http://hostname:port/path/StatLib.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/StatLib.jar
04/01/2013 16:58:41,588 - [FATAL Thread-15 com.lfg.name.JavaObjectName.init(JavaName.java:193)] - Error in Method() java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/StatLib.jar
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
.... Java Applet is calling and loading a class in a third party jar that I signed but for some reason is been treated as unsigned ....
.......................
network: Cache entry not found [url: http://hostname:port/path/ojdbc14.jar, version: null]
network: Connecting http://hostname:port/path/ojdbc14.jar with proxy=DIRECT
network: Connecting http://hostname:port/ with proxy=DIRECT
network: Connecting http://hostname:port/path/ojdbc14.jar with cookie "CheckboxChecked=Y; JSESSIONID=j_session_id"
network: CleanupThread used 1 us
network: Downloading resource: http://hostname:port/path/ojdbc14.jar
Content-Length: 1,448,790
Content-Encoding: null
network: Wrote URL http://hostname:port/path/ojdbc14.jar to File C:\path\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\534fe7f3-21a4d4ae-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
network: CleanupThread used 1 us
cache: Adding MemoryCache entry: http://hostname:port/path/ojdbc14.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called 
basic: Plugin2ClassLoader.isTrustedByPolicy returns false 
security: resource name "oracle/jdbc/driver/OracleDriver.class" in http://hostname:port/path/ojdbc14.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/ojdbc14.jar
java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/ojdbc14.jar
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
..... java applet is loaded a java class in a third party jar that was signed, but is been treated as untrusted.....

Trusted-Library :: Mixed Code Enable
..............................
cache: Mark prevalidated: http://hostname:port/path/main.jar true tm=numbers cert=numbers
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: exception: java.lang.NoClassDefFoundError: org/apache/log4j/Logger.
java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.instantiateApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
at com.path.MainClassApplet.init(MainClassApplet.java:line_number)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter$1.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$200(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 27 more
Ignored exception: java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
basic: Dialog type is not candidate for embedding
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@40ab5b6c
security: Reset deny session certificate store

使用带有html标记的JavaServer Pages文件(HTML页面)中的JavaScript代码调用主jar小程序(Rich Internet Application)。

据我了解,JavaScript代码被视为无符号代码。当从HTML页面中的JavaScript代码访问签名的applet时,签名的applet将在安全沙箱中执行。这意味着签名的applet本质上就像一个未签名的applet。

我正在讨论是否应该使用JNLP与Deployment Tookit(deployJava.js)来部署applet,或者我是否应该在主JAR文件的清单文件中将类添加到主JAR文件的类路径中;其清单引用了一个不同的JAR文件(或几个不同的JAR文件),它们作为我的applet用途的实用程序。

有关如何解决此混合代码问题的任何想法吗?

请指教,谢谢。

1 个答案:

答案 0 :(得分:0)

我可以确认问题出在最近的JRE上。从JS调用Java将为您提供“混合代码警告”。无论您如何签名或包含或不包含哪个库。 所以上述评论不再正确或不再正确(在最新的JRE升级之后,我正在使用1.7.0_21)。

但幸运的是,它仍然允许从java调用javascript而没有问题所以我们遇到的这类问题的解决方案是实现一个从applet轮询的commad队列,如下所示:

1)将每个调用包装到“请求对象”中的applet方法并将其放入队列中,例如:

var jobQueue = [];

function hello(message) {
   request =  {
     cmd:"hello",
     arg:"Jack",
     callback:function(result) {
        alert("I'm saying "+result);
     }
   }
   jobQueue.push(request); 
}

2)创建一个从applet调用的方法来获取作业:

function fetchJob(){
  if (jobQueue.length>0) {
     return jobQueue.shift();
  }
}

3)当applet启动时,产生一个线程或一个定时器,每隔X毫秒调用一次函数fetchJob。当函数返回非null请求时,applet可以执行。请求可以携带(如上例所示)甚至调用返回结果的回调

这就是全部。但要注意:如果您使用回调返回结果,请注意不要返回除本机对象之外的任何内容,否则您将再次使用混合代码警告。即使是一个字符串数组也行不通。如果您需要创建更复杂的结果,您需要使用liveconnect API回调javascript并从Java Applet创建本机JS对象,然后使用它调用回调。

祝你好运!

相关问题
最新问题