Java Webstart 尝试将 jar 沙盒化为“受信任的库”
我正在尝试通过 Webstart 加载带有未签名库的签名 jar。但是,我收到“尝试将沙盒 jar 作为可信库打开”错误。我从 jnlp 文件中删除了所有权限设置,如果将其放在那里(我不喜欢这样做),我的库会出现 classnotdefined 异常。 我正在使用 Netbeans 通过受信任库设置对我的 jar 进行签名。 如果我签署了该库(不是我的,而是 GPL 的),它会起作用吗?
顺便说一句,一切都在本地工作,只是不是从 Webstart 开始。 谢谢, Kaj
清单文件:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Trusted-Library: true
X-COMMENT: Main-Class will be added automatically by build
Class-Path: lib/tools.jar
Created-By: 1.7.0-b147 (Oracle Corporation)
Main-Class: customcompile.CustomCompile
Name: customcompile/Source.class
SHA-256-Digest: WFa1FC4Q07sE3S9XxmUSEpgUKjvjYo81urGSiiLNBYY=
Name: customcompile/Output.class
SHA-256-Digest: Sc8oRhAcYYrEtWY5iA56bNKx4EuHQHgFfHmXRSYV474=
Name: customcompile/CustomCompile.class
SHA-256-Digest: WYmy6ny6BU6sYFqJCwxSUPsbTWbpvBuPurYuwnZR5sM=
Name: customcompile/MemoryClassLoader.class
SHA-256-Digest: 0bUNmC+gI7dkGFzEmDvAqdOv15UmHOQS8dDVi9FxGFU=
Name: META-INF/INDEX.LIST
SHA-256-Digest: komZP7Un7Uyi8XTq+HvpbZtNF5cfPC8TmGiPBfcO3qk=
Name: customcompile/MemoryFileManager.class
SHA-256-Digest: GorTXt3N3GZ2kUHry7qBfAOgUuYvhWHE3S+SGEjzR7k=
我也找到了一些有关该主题的信息( http://download.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html ): 在底部找到一个关于混合代码的问答,建议在库上设置惰性模式,这对我没有任何作用。
I'm trying to load a signed jar with an unsigned library through Webstart. However I get a "attempt to open sandboxed jar as Trusted-Library" error. I removed the all permissions setting from my jnlp file, if let it there (which I prefer not to), I get a classnotdefined exception for my library.
I'm using Netbeans to sign my jar with Trusted Library setting.
Would it work if I signed the library (which is not mine, but GPL'ed)?
All is working locally, btw, just not from Webstart.
Thanks,
Kaj
The manifest file:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Trusted-Library: true
X-COMMENT: Main-Class will be added automatically by build
Class-Path: lib/tools.jar
Created-By: 1.7.0-b147 (Oracle Corporation)
Main-Class: customcompile.CustomCompile
Name: customcompile/Source.class
SHA-256-Digest: WFa1FC4Q07sE3S9XxmUSEpgUKjvjYo81urGSiiLNBYY=
Name: customcompile/Output.class
SHA-256-Digest: Sc8oRhAcYYrEtWY5iA56bNKx4EuHQHgFfHmXRSYV474=
Name: customcompile/CustomCompile.class
SHA-256-Digest: WYmy6ny6BU6sYFqJCwxSUPsbTWbpvBuPurYuwnZR5sM=
Name: customcompile/MemoryClassLoader.class
SHA-256-Digest: 0bUNmC+gI7dkGFzEmDvAqdOv15UmHOQS8dDVi9FxGFU=
Name: META-INF/INDEX.LIST
SHA-256-Digest: komZP7Un7Uyi8XTq+HvpbZtNF5cfPC8TmGiPBfcO3qk=
Name: customcompile/MemoryFileManager.class
SHA-256-Digest: GorTXt3N3GZ2kUHry7qBfAOgUuYvhWHE3S+SGEjzR7k=
I found some info on the subject as well ( http://download.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html ):
at the bottom one finds a Q&A about mixed code, suggesting setting a lazy mode on the library, which did not do anything for me.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您应该能够在 混合签名和未签名代码中找到答案。特别请参阅安全地部署签名的应用程序和小程序,无需混合代码警告。
请注意,上面的清单具有..
它应该是
Trusted-Library或Trusted-Only(AFAIU) 之一。在本例中,它应该是Trusted-Library。You should be able to find answers in Mixing Signed and Unsigned Code. See especially Deploying Signed Applications and Applets Securely Without a Mixed Code Warning.
Note that manifest above has..
It should be one or the other of
Trusted-LibraryorTrusted-Only(AFAIU). In this case it should beTrusted-Library.