如何为新的 Java 安全屏障编写清单文件 [英] How do I write a manifest file for the new java security barriers
问题描述
我需要在我的网站上部署一个 Java 小程序.
我的网站有很多页面,小程序出现在其中一些页面上.我网站的基本域是 www.mycompany.com.但是小程序会出现在,例如:www.mycompany.com/dog、www.mycompany.com/cat、www.mycompany.com/pen 等
入口点的包是com.mycompany.MyApplet.
按照 浏览器中的 Java 安全清单更改,我已经为我的应用创建了以下清单.有人可以帮我检查一下,以便我得到正确的答案吗?基本上,当人们试图从我的网站运行我的小程序时,我不希望出现任何形式的警告.
清单
清单版本:1.0创建者:1.7.0_51权限:沙盒应用程序名称:我的农业业务Application-Library-Allowable-Codebase:www.mycompany.com/where_the_applet_jar_actually_lives来电者允许代码库:www.mycompany.com代码库:www.mycompany.com在重新部署上述清单后,目前我得到以下对话框:
<块引用>应用程序被安全设置阻止:您的安全设置有阻止不受信任的应用程序运行
此外,我使用以下步骤对我的 jar 进行签名:
keytool -genkey -keystore myKeyStore -alias mekeytool -selfcert -keystore myKeyStore -alias mejarsigner -keystore myKeyStore jarfile.jar me
至于你得到的错误我能想到三个可能的问题:
1) 您的小程序不会就其尝试执行的操作征求许可.
会发生什么?权限"告诉用户应用程序对用户计算机有多少权力".沙箱"不会让应用程序做太多事情,所有权限"让小程序获得更多控制权.当然,您可能希望使用最低权限(即沙箱),因为您使用的权限越低,用户获得的警告提示就越少.但是,例如,如果您的小程序试图访问用户的个人文件,但它的权限"属性设置为沙箱",则小程序将无法工作,因为它没有就其尝试执行的操作请求许可.
如何解决?简单,只需将 Permissions: sandbox 更改为 Permissions: all-permissions
2) 您的计算机不允许运行自签名应用程序.
会发生什么?大多数浏览器都有适用于小程序的非常严格的规则.特别是如果您需要所有权限(您不需要).
如何解决? 将 Java 控制面板中的 Java 安全性更改为较低的值.您可以在计算机中搜索java 控制面板",也可以自己到此路径(Windows 8 由于某种原因找不到 java 控制面板,因此您必须自己查找)C:\program files\java\jre7\bin\javacpl.exe 在 JCP 中转到安全选项卡并将其更改为中.
3) 您的操作系统不允许您运行您自己签名的小程序.(注意你自己签名的小程序"而不是自签名小程序",这是没有官方证书的一切.操作系统通常会区别对待它们.)
如何解决?将小程序上传到网络主机服务并从另一台计算机输入,除您签署小程序的计算机之外的所有计算机都应该能够打开小程序.><小时>
至于您提到的用户没有收到任何安全提示,这几乎是不可能的需求.随着操作系统、浏览器和防病毒软件的多样性,您永远无法知道.但是,有几种方法可以减少安全提示的数量:
- 自签名小程序(自签名是您在命令提示符下所做的)很可能总是显示安全提示.您可以购买官方 SSL,这样会显着减少提示数量.
- 如果您需要所有权限",则会收到比需要沙盒"权限时更多的提示.
我强烈建议您查看以下链接:
权限:http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
<小时>如果您遇到第 1 个问题,那就是清单文件:
清单版本:1.0创建者:1.7.0_51权限:所有权限应用程序名称:我的农业业务Application-Library-Allowable-Codebase:www.mycompany.com/where_the_applet_jar_actually_lives来电者允许代码库:www.mycompany.com代码库:*无论如何(如果您的问题是 2 或 3),您甚至不必更改清单文件.
正如@tigran 提到的,如果你想从几个不同的地方运行你的小程序,你可能想要将代码库"更改为 *.
I have a Java applet that I need to deploy on my website.
My website has a lot of pages and the applet appears on a number of them. My website's base domain is www.mycompany.com. But the applet will appear on, for example: www.mycompany.com/dog, www.mycompany.com/cat, www.mycompany.com/pen, etc.
The package of the entry point is com.mycompany.MyApplet.
Following the instructions at Java Security Manifest Changes in the Browser, I have created the below manifest for my app. Will someone please review it for me so that I get it correct? Basically I don't want any sort of warning to show up when people try to run my applet from my website.
MANIFEST
Manifest-Version: 1.0
Created-By: 1.7.0_51
Permissions: sandbox
Application-Name: My Farming Business
Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
Caller-Allowable-Codebase:www.mycompany.com
Codebase: www.mycompany.com
Presently I get the following dialog after redeploying with the above manifest:
Application Blocked by Security Settings: Your security settings have blocked an untrusted application from running
Ref: How do I inject new manifest into an existing jar for applet
Also, I have used the following steps to sign my jar:
keytool -genkey -keystore myKeyStore -alias mekeytool -selfcert -keystore myKeyStore -alias mejarsigner -keystore myKeyStore jarfile.jar me
As for the error you get I can think of three possible problems:
1) Your applet does not ask permission for what it is trying to do.
What happens? The "permissions" is telling the user how much "power" does the application have over the user's computer. "sandbox" doesn't let the application do much and "all-permissions" gain the applet a little more control. of course, you would want to use the lowest permission you can (i.e. sandbox) because the lower permission you use, the less warning prompts the user get. However, if, for example your applet is trying to gain access to the user's personal files but it's "permissions" attribute is set to "sandbox" the applet won't work, as it did not ask permission for what it is trying to do.
How to solve it? Simple, just change Permissions: sandbox to Permissions: all-permissions
2) Your computer is not allowing self signed applications to run.
What happens? Most browsers have very strict rules applying to applets. especially if you're requiring all-permissions (which you are not).
How to solve it? Change your java security in java control panel to something lower. you can either search for "java control panel" in your computer or go yourself to this path (windows 8 can't find the java control panel for some reason so you have to look for it yourself) C:\program files\java\jre7\bin\javacpl.exe in the JCP go to security tab and change it to medium.
3) Your operating system doesn't allow you to run applets that you signed your self. (pay attention "applets that you signed your self" not "self signed applets", which is everything that doesn't have an official certificate. Operating systems usually treat them differently.)
How to solve it? Upload the applet to a web host service and enter it from another computer, all computers but the ones you signed the applet with should be able to open the applet.
As for what you mentioned about users not getting any security prompts, it is an almost impossible demand. With the variety of OS, browsers and anti-viruses you can never know. However, there are a few methods in which you can reduce the amount of security prompts:
- Self signed applets (self signing is what you did with the command prompt) are very likely to always show security prompts. You can buy an official SSL and it will reduce the amount of prompts significantly.
- If you are requiring "all-permissions" you'll get much more prompts than if you require "sandbox" permissions.
I highly recommend you to look at the following links:
SSL: Where could I buy a valid SSL certificate?
Permissions: http://docs.oracle.com/javase/tutorial/deployment/applet/security.html
If you've got problem number 1 that would be the manifest file:
Manifest-Version: 1.0
Created-By: 1.7.0_51
Permissions: all-permissions
Application-Name: My Farming Business
Application-Library-Allowable-Codebase: www.mycompany.com/where_the_applet_jar_actually_lives
Caller-Allowable-Codebase:www.mycompany.com
Codebase: *
Eitherwise (If your problem is 2 or 3), you don't even have to change the manifest file.
As @tigran mentioned, if you want to run your applet from several different places you'd probably want to change "codebase" to *.
这篇关于如何为新的 Java 安全屏障编写清单文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
