Question

我有一个在tomcat Web服务器上运行的java webstart应用程序。 JNLP引用的单个jar已签名。整个Web应用程序位于基本身份验证层之后 Web.xml提取：

    <security-constraint>
    <display-name> Client (SSL)</display-name>
    <web-resource-collection>
        <web-resource-name>Client (SSL)</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
            <auth-constraint>
        <role-name>clientuser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

 <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Client Webstart</realm-name>
</login-config>

当我运行JNLP时，webstart正确地要求我填写用户名和密码，但随后崩溃并出现以下空指针异常：

java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.AppPolicy.addPermissions(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$800(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Answer 1

问题证明与安全无关，但实际上是我之前未发布的web.xml的另一部分：

    <servlet>
    <description>
        The Client.
    </description>
    <display-name>Client</display-name>
    <servlet-name>GenerateClientJNLPServlet</servlet-name>
    <servlet-class>web.GenerateClientJNLPServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>GenerateClientJNLPServlet</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>

<security-role>
    <role-name>clientuser</role-name>
</security-role>
....

servlet的URL模式已设置为*。这意味着当JWS进程转到特定位置下载时，jar被重定向回servlet，后者在响应中提供了error.html页面而不是jar。
我现在将servlet网址限制为：

<url-pattern>/LaunchClient/*</url-pattern>

而jar继续托管在/ releases / *

Answer 2

在JAR清单中添加“所有权限”属性。有关详细信息http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html

，请参阅此网址

在身份验证层后面读取清单签名的webstart jar时出现NullPointerException

2 个答案: