签名的小程序使用 URLClassLoader 加载签名的 jar 文件,但存在安全问题 [英] Signed applet loads signed jar-files using URLClassLoader with security issue

查看:32
本文介绍了签名的小程序使用 URLClassLoader 加载签名的 jar 文件,但存在安全问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个签名的小程序.为了实现一些插件架构,我下载了一个带有特定类的 JAR 文件并将其存储到磁盘.

I have a signed applet. To implement some plugin architecture I download and store to disk a JAR file with specific classes.

然后我用 URLCLassLoader 加载这些类.所以,现在我尝试从加载的类中调用一些方法,但我遇到了安全问题.

Then I load these classes with URLCLassLoader. So, now I try to invoke some method from loaded class and I have a security issue.

当类加载为 URLClassLoaded 时,SecurityManager 似乎无法检查sign-token".有人知道如何解决这个问题吗?

It seems to "sign-token" cannot be checked by SecurityManager when class loaded be URLClassLoaded. Anybody know how to solve this problem?

非常感谢!

正在加载.

URLClassLoader loader = new URLClassLoader(new URL[] {libraryArchive.toURI().toURL()}, Compress.class.getClassLoader());

调用.

...
org.palettelabs.comm.desktopcapture.pim.Library lib = libraryClass.newInstance();
                final Compress compressingLibrary = (Compress) lib;
                File file = AccessController.doPrivileged(new PrivilegedExceptionAction<File>() {

                    @Override
                    public File run() {
                        try {
                            File file = compressingLibrary.compress(filesList);
                            return file;
                        } catch (Exception e) {
                            Logger.error("applet: compress: invocation external library error", e);
                            return null;
                        }
                    }

                });

异常.

2011-09-16 16:00:08,550 [SwingWorker-pool-1-thread-4] ERROR - applet: compress: invocation external library error
java.security.AccessControlException: access denied (java.io.FilePermission /tmp/dca-palettelabs-storage/test/compress/linux32ffmpeg.jar-extractedFiles/org/palettelabs/
comm/desktopcapture/libs/compress/linux32 read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        at java.io.File.exists(File.java:731)
        at java.io.File.mkdirs(File.java:1181)
        at org.palettelabs.comm.desktopcapture.pim.Library.extract(Library.java:31)
        at org.palettelabs.comm.desktopcapture.libs.compress.linux32.Linux32.compress(Linux32.java:17)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:77)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker$1.run(UploadingWorker.java:1)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.compress(UploadingWorker.java:72)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:57)
        at org.palettelabs.comm.desktopcapture.ui.UploadingWorker.doInBackground(UploadingWorker.java:1)
        at javax.swing.SwingWorker$1.call(SwingWorker.java:277)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
        at java.util.concurrent.FutureTask.run(FutureTask.java:138)
        at javax.swing.SwingWorker.run(SwingWorker.java:316)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)

推荐答案

安装一个自定义安全管理器,允许来自正确代码库(包,无论什么..)的代码执行该操作.

Install a custom security manager that allows code from the right code base (package, whatever..) to perform that action.

为此,调用System.setSecurityManager(myManager).(如您所想)myManager安全管理器.

To do that, call System.setSecurityManager(myManager). (As you managed to figure) myManager is an extension of SecurityManager.

它需要一个受信任的小程序来设置安全管理器.

It requires a trusted applet to set a security manager.

这篇关于签名的小程序使用 URLClassLoader 加载签名的 jar 文件,但存在安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆