签名applet装入签订使用URLClassLoader的安全问题JAR-文件 [英] Signed applet loads signed jar-files using URLClassLoader with security issue
本文介绍了签名applet装入签订使用URLClassLoader的安全问题JAR-文件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个签名的小程序。为了实现一些插件架构我可以下载并存储到磁盘的JAR文件与特定的类。
然后我加载这些类与的URLClassLoader 。所以,现在我尝试调用从加载类的一些方法,我有一个安全问题。
这似乎为登录标记不能由的SecurityManager 选中时加载类为 URLClassLoaded 。任何人都知道如何解决这个问题?
非常感谢!
加载。
的URLClassLoader装载机=新的URLClassLoader(新URL [] {libraryArchive.toURI()的toURL()},玉米press.class.getClassLoader());
调用。
...
org.palettelabs.comm.desktopcapture.pim.Library LIB = libraryClass.newInstance();
最后的COM preSS COM pressingLibrary =(比较preSS)的lib;
文件file =在AccessController.doPrivileged(新的PrivilegedExceptionAction<文件>(){ @覆盖
公共文件的run(){
尝试{
文件file = com的pressingLibrary.com preSS(filesList);
返回文件;
}赶上(例外五){
Logger.error(小程序:COM preSS:调用外部库错误,E);
返回null;
}
} });
例外。
16 2011-09-16:00:08550 [SwingWorker的池-1线程4]错误 - 小程序:COM preSS:调用外部库错误
java.security.AccessControlException:访问被拒绝(java.io.FilePermission中/tmp/dca-palettelabs-storage/test/com$p$pss/linux32ffmpeg.jar-extractedFiles/org/palettelabs/
通信/ desktopcapture /库/ COM preSS / linux32镜像读取)
在java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
在java.security.AccessController.checkPermission(AccessController.java:546)
在java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
在java.lang.SecurityManager.checkRead(SecurityManager.java:871)
在java.io.File.exists(File.java:731)
在java.io.File.mkdirs(File.java:1181)
在org.palettelabs.comm.desktopcapture.pim.Library.extract(Library.java:31)
在org.palettelabs.comm.desktopcapture.libs.com press.linux32.Linux32.com preSS(Linux32.java:17)
在org.palettelabs.comm.desktopcapture.ui.UploadingWorker $ 1.run(UploadingWorker.java:77)
在org.palettelabs.comm.desktopcapture.ui.UploadingWorker $ 1.run(UploadingWorker.java:1)
在java.security.AccessController.doPrivileged(本机方法)
在org.palettelabs.comm.desktopcapture.ui.UploadingWorker.com preSS(UploadingWorker.java:72)
在org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:57)
在org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:1)
在javax.swing.SwingWorker $ 1.call(SwingWorker.java:277)
在java.util.concurrent.FutureTask中$ Sync.innerRun(FutureTask.java:303)
在java.util.concurrent.FutureTask.run(FutureTask.java:138)
在javax.swing.SwingWorker.run(SwingWorker.java:316)
在java.util.concurrent.ThreadPoolExecutor中的$ Worker.runTask(ThreadPoolExecutor.java:886)
在java.util.concurrent.ThreadPoolExecutor中的$ Worker.run(ThreadPoolExecutor.java:908)
在java.lang.Thread.run(Thread.java:662)
解决方案
安装定制的安全管理器,允许code从右边code基(包,无论..)来执行该操作。
要做到这一点,调用 System.setSecurityManager(myManager)。 (当你设法图) myManager 是 SecurityManager的。
它需要一个值得信赖的小程序来设置安全管理器。
I have a signed applet. To implement some plugin architecture I download and store to disk a JAR file with specific classes.
Then I load these classes with URLCLassLoader. So, now I try to invoke some method from loaded class and I have a security issue.
It seems to "sign-token" cannot be checked by SecurityManager when class loaded be URLClassLoaded. Anybody know how to solve this problem?
Thanks a lot!
Loading.
URLClassLoader loader = new URLClassLoader(new URL[] {libraryArchive.toURI().toURL()}, Compress.class.getClassLoader());
Invocation.
...
org.palettelabs.comm.desktopcapture.pim.Library lib = libraryClass.newInstance();
final Compress compressingLibrary = (Compress) lib;
File file = AccessController.doPrivileged(new PrivilegedExceptionAction<File>() {
@Override
public File run() {
try {
File file = compressingLibrary.compress(filesList);
return file;
} catch (Exception e) {
Logger.error("applet: compress: invocation external library error", e);
return null;
}
}
});
Exception.
2011-09-16 16:00:08,550 [SwingWorker-pool-1-thread-4] ERROR - applet: compress: invocation external library error
java.security.AccessControlException: access denied (java.io.FilePermission /tmp/dca-palettelabs-storage/test/compress/linux32ffmpeg.jar-extractedFiles/org/palettelabs/
comm/desktopcapture/libs/compress/linux32 read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:731)
at java.io.File.mkdirs(File.java:1181)
at org.palettelabs.comm.desktopcapture.pim.Library.extract(Library.java:31)
at org.palettelabs.comm.desktopcapture.libs.compress.linux32.Linux32.compress(Linux32.java:17)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:77)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.compress(UploadingWorker.java:72)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:57)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:1)
at javax.swing.SwingWorker$1.call(SwingWorker.java:277)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at javax.swing.SwingWorker.run(SwingWorker.java:316)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
解决方案
Install a custom security manager that allows code from the right code base (package, whatever..) to perform that action.
To do that, call System.setSecurityManager(myManager). (As you managed to figure) myManager is an extension of SecurityManager.
It requires a trusted applet to set a security manager.
这篇关于签名applet装入签订使用URLClassLoader的安全问题JAR-文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
