为什么 Java 告诉我我的小程序同时包含签名和未签名的代码?
我的签名 Java 小程序一直运行良好,直到 Java 更新 19。现在,我们的 Java 更新 19 上的一些(但不是全部)用户报告了一条 Java 安全消息,指出我们的小程序包含签名和未签名的代码。
创建小程序的过程如下:
- 在 Netbeans IDE 中清理并构建小程序项目。
- 在 WinRAR 中打开 Applet jar 文件,并将所需的 mysql JDBC 驱动程序 .class 文件添加到 jar 文件中。
- 对小程序 jar 文件进行签名。
有人可以告诉我如何确定我们的小程序中哪些代码已签名,哪些代码未签名?除了将 jar 文件内容复制到我们的小程序 jar 文件中之外,是否有更好的方法将 mysql JDBC 驱动程序 jar 文件包含在我们的小程序中?
谢谢
My signed Java applet has been running fine until Java update 19. Now some but not all of our users on Java Update 19 report a java security message stating that our applet contains both signed and unsigned code.
The process for creating our applet is as follows:
- Clean and Build the applet project in Netbeans IDE.
- Open the Applet jar file in WinRAR and add the required mysql JDBC driver .class files to the jar file.
- Sign the applet jar file.
Can someone please tell me how to determine what code is signed and what code is not signed in our applet? Is there a better way to include the mysql JDBC driver jar file in our applet other than copying the jar file contents into our applet jar file?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
编辑:由于 Java 7 Update 45 中的错误,您不应将 Trusted-Library 添加到清单文件中。只需添加新属性 Caller-Allowable-Codebase 即可。有关详细信息,请参阅此问题:Java applet 清单 - 允许所有调用者允许-Codebase
Java 7 Update 21 于 2013 年 4 月 16 日发布,导致我们的小程序开始显示此警告对话框。
根据发行说明:
从 JDK 7u21 开始,调用特权小程序中的代码的 JavaScript 代码将被视为混合代码,并且如果签名的 JAR 文件未使用 Trusted-Library 属性进行标记,则会引发警告对话框。
要解决此问题,请编辑您的manifest.mf 文件并添加如下行:
不过,在执行此操作之前您应该非常小心。如果您的签名小程序可以从 javascript 调用,那么恶意用户可能会在您的用户计算机上执行有害的操作。
保护小程序安全的一种快速方法是防止它在其他网站上运行。为此,请将代码放入
init()方法中,该方法查看getCodeBase().getHost()并在与您的站点不匹配时抛出异常。Java 7 Update 25 引入了另一种方法来限制可以运行小程序的站点。您可以在清单文件中设置 Codebase 属性,如下所示:
Java 7 Update 45(2013 年 10 月 16 日相关)引入了对 LiveConnect 系统(javascript 到 applet 桥)的更多更改,这可能会导致另一个提示。本文讨论 7u45 的更改:https://blogs.oracle.com/ java-platform-group/entry/liveconnect_changes_in_7u45
基本上,您还需要将以下内容添加到清单文件中以避免出现提示:
如果您正在销售包含小程序的产品,并且您不知道哪些域它可以部署在您可以在此处填充 * 的位置。
EDIT: Due to a bug in Java 7 Update 45 you should not add Trusted-Library to your manifest file. Just add the new attribute Caller-Allowable-Codebase. See this question for more info: Java applet manifest - Allow all Caller-Allowable-Codebase
Java 7 Update 21 was released on April 16 2013 and caused our applet to start showing this warning dialog.
Per the release notes:
As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.
To fix this edit your manifest.mf file and add a line like this:
You should be very careful before doing this though. If your signed applet can be called from javascript then a malicious user can potentially do harmful things on your users' computers.
One quick way to secure your applet is to prevent it from being run on other websites. Do this by putting code in the
init()method that looks atgetCodeBase().getHost()and throws an exception if it does not match your site.Java 7 Update 25 introduces another way to limit the sites where your applet can be run. You can set the Codebase attribute in your manifest file like this:
Java 7 Update 45 (releated October 16 2013) introduces more changes to the LiveConnect system (javascript-to-applet bridge) that may cause another prompt. This article talks about the 7u45 changes: https://blogs.oracle.com/java-platform-group/entry/liveconnect_changes_in_7u45
Basically you'll also want to add the following to your manifest file to avoid the prompts:
If you are selling a product that includes an applet and you don't know what domains it can be deployed on you can populate * here.
需要尝试的一些事情:
高级选项卡。调试启用跟踪、启用日志记录和显示小程序生命周期异常Java控制台code>显示控制台确定(或关闭,具体取决于您的操作系统)当您的小程序加载时,Java 控制台将打开。单击它并立即按“5”。它将记录为运行小程序而获取的罐子和类。其中的某个地方应该有一条消息,指示哪些 jar 或类被视为“未签名”。如果您第一次错过了,只需重新加载窗口即可重试。
Some things to try:
Advancedtab.DebugEnable tracing,Enable logging, andShow applet lifecycle exceptionsJava consoleShow consoleOK(orClose, depending on your OS)When your applet loads the Java console will open. Click on it and immediately press '5'. It will log the jars and classes being fetched to run your applet. Somewhere in this there should be a message indicating what jars or classes are consider "unsigned". If you miss it the first time, just reload the window to try it again.
将受信任和不受信任的代码混合在一起是一个漏洞,已在 6u19(撰写本文时的当前 CPU/SSR 版本)中修复。 请参阅文档。 阻止混合或使用调试器应该可以显示问题出在哪里。
Mixing trusted and untrusted code together is a vulnerability that has been fixed in the 6u19 (the current CPU/SSR release at the time of writing). See the docs. Blocking the mix or using a debugger should show where the problem is.