签署 jnlp 以摆脱安全警告 [英] Signing a jnlp in order to get rid of the Security Warning

问题描述

我在一家公司开发，其中 jnlp 文件用于启动基于 Swing Web 的 Java 应用程序.它有很多 jars 下载到客户端的 jvm 缓存.当我将 jvm 更新到其当前最新版本(版本 1.7.0_45-b18)时，当我尝试运行 jnlp 文件时，我开始看到下面的安全警告:

I am developing at a company where a jnlp file is used to start a swing web based java application. It has plenty of jars that are downloaded to the client's jvm cache. When I updated my jvm to its currently latest version (build 1.7.0_45-b18) I started seeing the security warning below when I try to run the jnlp file:

在我看到这个错误并阅读了这篇关于从 oracle 站点签署 jnlp 文件的文章后(签署 JNLP文件)然后我在项目中添加了三件事:

After I saw this error and read this article about signing jnlp files from oracle site( Signing JNLP files) then I added three things to the project:

1. 一个 JNLP-INF 文件夹，其中包含一个 APPLICATION.JNLP 文件到我的所有 jar 中，但第三方的除外.
2. 使用我自己公司的数字证书+密钥库包对所有这些 jar 进行签名
3. 通过java控制面板将数字证书导入我信任的jvm Ca证书中.

1. A JNLP-INF folder including an APPLICATION.JNLP file into all my jars except third party ones.
2. Signing all those jars with the digital certificate+keystore bundle of my own company
3. Importing the digital certificate into my trusted Ca certificates of jvm via java control panel.

在我进行上述更改并尝试在部署新 jar 后运行 jnlp 文件后，我从 jvm 收到以下安全警告消息:

After I did the changes above and tried to run the jnlp file after deployment of new jars I got the following Security warning message from jvm:

如您所见，安全警告的严重性级别已更改为更受欢迎的级别，现在发布者的名称并非未知.这是证书中的名称.即使警告级别降低了，它仍然是一个警告，我不希望我的最终用户每次都看到这个.我该如何解决这个问题?

As you can see the Security Warning's severity level is changed to a more welcoming level and now the publisher's name is not unknown.It is the name from the certificate. Even if the warning's level is decreased it is still a warning and I dont want my end users to see this everytime. How can I solve this problem?

1. 我是否也应该尝试签署所有第三方罐子?如果是这样，我怎样才能用 Ant 命令来做到这一点?如何提取第三方 jar 并在其中添加 JNLP-INF 文件夹，然后使用 Ant 将其重新打包为 jar?
2. 我是否还应该在最终的 myapplication.ear 文件中签名，其中包含 JNLP-INF 子文件夹.这个ear 文件部署到jboss 服务器吗?
3. 我应该在 jars 中的 META-INF/MANIFEST 文件中添加一些额外的行吗?
4. 我是否应该期望 oracle 以这种警告级别阻止我的应用程序在 jvm 上运行?

1. Should I try to sign all third part jars as well? If so how can I do it with an Ant command? How can I extract a third party jar and add the JNLP-INF folder in it and then repack it as a jar by using Ant?
2. Should I also sign the final myapplication.ear file with a JNLP-INF subfolder in it.This ear file is deployed to jboss server?
3. Should I add some extra lines to my META-INF/MANIFEST files in jars?
4. Should I be expecting oracle to block my application to run on jvm with this level of warning?

我的 JNLP 文件是这样的:

My JNLP file is this text:

<?xml version="1.0" encoding="utf-8"?>
    <jnlp spec="1.0+" codebase="http://10.100.10.9/ikarusdelhitest/" href="ikarus.jnlp">
<information>
    <title>Ikarus</title>
    <vendor>My Company name</vendor>
    <homepage href="http://www.mycompanyname.com" />
    <description>My jnlp triggered web based enterprise software</description>
    <icon href="ikarus.ico" />
    <offline-allowed />
</information>
<security>
    <all-permissions />
</security>
<resources>
    <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"
        java-vm-args="-Xnoclassgc -Xincgc -client -XX:DefaultMaxRAM=208M -Xms64M -Xmx256M -XX:PermSize=32M -XX:MaxPermSize=128M -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=50" />
    <jar href="jars/ikarus/ikarusClient.jar" />
    <jar href="jars/ikarus/ikarusDelegators.jar" />
    <jar href="jars/ikarus/clientRules.jar" />
    <jar href="jars/ikarus/ruleImps.jar" />
    <jar href="jars/ikarus/ikarusUtil.jar" />
    <jar href="jars/ikarus/ikarusResources.jar" />
    <jar href="jars/ikarus/domain.jar" />
    <jar href="jars/ikarus/domain_repository.jar" />
    <jar href="jars/ikarus/domain_service.jar" />
    <jar href="jars/ikarus/app_repository.jar" />
    <jar href="jars/ikarus/app_service.jar" />
    <jar href="jars/ikarus/infrastructure.jar" />
    <jar href="jars/ikarus/integration_domain.jar" />
    <jar href="jars/jboss_ejb_auth/ejb3-persistence.jar" />
    <jar href="jars/jboss_ejb_auth/jboss-ejb3x.jar" />
    <jar href="jars/jboss_ejb_auth/jbossall-client.jar" />
    <jar href="jars/jasper/commons-beanutils-1.8.0.jar" />
    <jar href="jars/jasper/commons-collections-3.2.1.jar" />
    <jar href="jars/jasper/commons-digester-1.7.jar" />
    <jar href="jars/jasper/commons-logging-1.1.jar" />
    <jar href="jars/jasper/iText-2.1.0.jar" />
    <jar href="jars/jasper/jasperreports-3.6.0.jar" />
    <jar href="jars/jasper/poi-3.2-FINAL-20081019.jar" />
    <property name="jnlp.localization" value="Delhi"/>
</resources>
<application-desc main-class="com.celebi.ikarus.main.Ikarus" />

感谢您的任何帮助/评论/头脑风暴.

Thanks for any help/comment/brain storming.

推荐答案

这个 JNLP 似乎需要签名，因为 java-vm-args 但意识到大部分内存相关的选项都可以在一种使 JNLP 不需要签名的方法.我建议您改为尝试这种方式.

This JNLP seems to need signing because of java-vm-args but realize that most of the memory related options can be specified in a way so that the JNLP does not need to be signed. I recommend you try that way instead.

编辑

JNLP 是 Java Plug-In 的一部分，该插件已从浏览器中删除并被 Oracle 围绕 Java 9 弃用.使用其他方法启动应用程序.

JNLP was part of the Java Plug-In which was removed from browsers and deprecated by Oracle around Java 9. Use other methods to launch apps.

这篇关于签署 jnlp 以摆脱安全警告的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！