签名的小程序使用 URLClassLoader 加载签名的 jar 文件,但存在安全问题 [英] Signed applet loads signed jar-files using URLClassLoader with security issue
问题描述
我有一个签名的小程序.为了实现一些插件架构,我下载了一个带有特定类的 JAR 文件并将其存储到磁盘.
I have a signed applet. To implement some plugin architecture I download and store to disk a JAR file with specific classes.
然后我用 URLCLassLoader
加载这些类.所以,现在我尝试从加载的类中调用一些方法,但我遇到了安全问题.
Then I load these classes with URLCLassLoader
. So, now I try to invoke some method from loaded class and I have a security issue.
当类加载为 URLClassLoaded
时,SecurityManager
似乎无法检查sign-token".有人知道如何解决这个问题吗?
It seems to "sign-token" cannot be checked by SecurityManager
when class loaded be URLClassLoaded
. Anybody know how to solve this problem?
非常感谢!
正在加载.
URLClassLoader loader = new URLClassLoader(new URL[] {libraryArchive.toURI().toURL()}, Compress.class.getClassLoader());
调用.
...
org.palettelabs.comm.desktopcapture.pim.Library lib = libraryClass.newInstance();
final Compress compressingLibrary = (Compress) lib;
File file = AccessController.doPrivileged(new PrivilegedExceptionAction<File>() {
@Override
public File run() {
try {
File file = compressingLibrary.compress(filesList);
return file;
} catch (Exception e) {
Logger.error("applet: compress: invocation external library error", e);
return null;
}
}
});
异常.
2011-09-16 16:00:08,550 [SwingWorker-pool-1-thread-4] ERROR - applet: compress: invocation external library error
java.security.AccessControlException: access denied (java.io.FilePermission /tmp/dca-palettelabs-storage/test/compress/linux32ffmpeg.jar-extractedFiles/org/palettelabs/
comm/desktopcapture/libs/compress/linux32 read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:731)
at java.io.File.mkdirs(File.java:1181)
at org.palettelabs.comm.desktopcapture.pim.Library.extract(Library.java:31)
at org.palettelabs.comm.desktopcapture.libs.compress.linux32.Linux32.compress(Linux32.java:17)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:77)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.compress(UploadingWorker.java:72)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:57)
at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:1)
at javax.swing.SwingWorker$1.call(SwingWorker.java:277)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at javax.swing.SwingWorker.run(SwingWorker.java:316)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
推荐答案
安装一个自定义安全管理器,允许来自正确代码库(包,无论什么..)的代码执行该操作.
Install a custom security manager that allows code from the right code base (package, whatever..) to perform that action.
为此,调用System.setSecurityManager(myManager)
.(如您所想)myManager
是 安全管理器.
To do that, call System.setSecurityManager(myManager)
. (As you managed to figure) myManager
is an extension of SecurityManager.
它需要一个受信任的小程序来设置安全管理器.
It requires a trusted applet to set a security manager.
这篇关于签名的小程序使用 URLClassLoader 加载签名的 jar 文件,但存在安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!