签名的applet使用带有安全性问题的URLClassLoader加载已签名的jar文件

时间:2011-09-16 14:11:58

标签: java security applet signed urlclassloader

我有一个签名的小程序。为了实现一些插件架构,我下载并将具有特定类的JAR文件存储到磁盘。

然后我用URLCLassLoader加载这些类。所以,现在我尝试从加载的类调用一些方法,我遇到了安全问题。

当加载的类为SecurityManager时,URLClassLoaded似乎无法检查“sign-token”。有谁知道如何解决这个问题?

非常感谢!

装载。

URLClassLoader loader = new URLClassLoader(new URL[] {libraryArchive.toURI().toURL()}, Compress.class.getClassLoader());

调用。

...
org.palettelabs.comm.desktopcapture.pim.Library lib = libraryClass.newInstance();
                final Compress compressingLibrary = (Compress) lib;
                File file = AccessController.doPrivileged(new PrivilegedExceptionAction<File>() {

                    @Override
                    public File run() {
                        try {
                            File file = compressingLibrary.compress(filesList);
                            return file;
                        } catch (Exception e) {
                            Logger.error("applet: compress: invocation external library error", e);
                            return null;
                        }
                    }

                });

异常。

2011-09-16 16:00:08,550 [SwingWorker-pool-1-thread-4] ERROR - applet: compress: invocation external library error
java.security.AccessControlException: access denied (java.io.FilePermission /tmp/dca-palettelabs-storage/test/compress/linux32ffmpeg.jar-extractedFiles/org/palettelabs/
comm/desktopcapture/libs/compress/linux32 read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        at java.io.File.exists(File.java:731)
        at java.io.File.mkdirs(File.java:1181)
        at org.palettelabs.comm.desktopcapture.pim.Library.extract(Library.java:31)
        at org.palettelabs.comm.desktopcapture.libs.compress.linux32.Linux32.compress(Linux32.java:17)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:77)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:1)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.compress(UploadingWorker.java:72)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:57)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:1)
        at javax.swing.SwingWorker$1.call(SwingWorker.java:277)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
        at java.util.concurrent.FutureTask.run(FutureTask.java:138)
        at javax.swing.SwingWorker.run(SwingWorker.java:316)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)

2 个答案:

答案 0 :(得分:1)

安装自定义安全管理器,允许来自正确代码库(包,等等......)的代码执行该操作。

为此,请致电System.setSecurityManager(myManager)。 (正如您设想的那样)myManagerSecurityManager的扩展名。

它需要一个受信任的applet来设置安全管理器。

答案 1 :(得分:1)

使用java.security.SecureClassLoader的适当子类为加载的类指定适当的ProtectionDomain。当然,确保某些机制可以信任这些类(例如,使用您信任的证书进行签名)。

相关问题
最新问题