如何通过 JNLP 传递其值可能更改为已签名的 Java RIA(applet、webstart)的任意系统属性? [英] How can I pass arbitrary system properties whose values may change to a signed Java RIA (applet, webstart) via JNLP?

问题描述

由于 7u51 说:

<块引用>

预计 JNLP 客户端会将某些 jnlp 元素和参数值(例如java-vm-args")列入黑名单(或限制).或财产名称"和价值"以维持安全.确切的列表取决于各个 JNLP 客户端实现.

事实上，Oracle 实现(至少在 7u45 中)确实将 <property/> 元素的 value 属性列入黑名单——它不能是通配符.我一直找不到这个决定背后的任何理由，但就是这样.

webstart 变通方法允许任意属性名称和值；小程序变通方法要求在代码签名时知道属性的名称.

解决方法:Webstart

在您的 JNLP 文件中，包含一些通配符参数:

<参数>*</参数><参数>*</参数></application-desc>

在您的应用程序的 main 方法中，解析这些参数并使用 System.setProperty()，跳过仍然具有文字值 "*" 的参数.我建议在第一次出现 "=" 时简单地拆分每个参数.(如果您的应用程序也已经接受了常规参数，则您必须更具创意.)

变通方法:小程序

在您的 JNLP 文件中，包括定义需要设置的系统属性的参数:

<参数名称=SYS_PROPERTY_PARAMETERS"值=prop1，prop2"/><param name="prop1";值=*"/><param name="prop2";值=*"/></applet-desc>

在您的Applet.init() 方法，获取SYS_PROPERTY_PARAMETERS 参数的值，并对其进行迭代以获取每个参数的值.如果它不是文字 "*"，请使用 System.setProperty() 将其复制到系统属性.

不安全操作"对话

这是一个Oracle插件中的bug，由使用触发LiveConnect 的(Java <-> JavaScript 交互).

解决方法:安全"属性前缀

在 JNLP 中通过 元素设置的所有系统属性的前缀为 jnlp".:

然后在您的应用程序的 main() 或 Applet.init() 方法中，迭代 System.getProperties() 并且，如果属性名称以 "jnlp." 开头，则将其值复制到同名的属性中，并去掉该前缀.(迭代副本是必要的，以避免 ConcurrentModificationException.)

问题:JNLP 模板验证器考虑 XML 属性的顺序

最后，如果您填写属性值的过程可能导致 JNLP 文档中其他元素的属性被重新排序，这可能会导致 JNLP 模板验证失败.(使用 DOM 解析器解析 JNLP，填充通配符，然后使用 StreamResult 将其流式传回是可能发生的一种方式.)例如，我有这两个多属性元素，而元素的顺序必须匹配:

<j2se java-vm-args="-Xms256M -Xmx512M -XX:MaxPermSize=256m";版本=1.6+"/>

Due to tighter security restrictions in 7u51, due in January, I'm trying to sign my JNLP file.

Our application requires certain custom system properties to be set, and the values of some of those properties are different depending on where the applet is being deployed. I would like to avoid having to re-sign the JAR containing the JNLP template for each deployment.

The naive approach of putting <property name="my-prop" value="*"/> in the JNLP template does not work.

Even with <property name="my-prop" value="fixed-value"/> in the template, I sometimes get a dialog saying "This application is going to perform an insecure operation. Do you want to continue?":

What's the right way to pass system properties in to a signed Java RIA?

解决方案

On both counts, your application will need to add some trivial code to be executed at start-up, in order to work around these two issues.

Wildcards Not Allowed in Property Values

The JNLP specification says:

It is expected that a JNLP Client will blacklist (or restrict) certain jnlp elements and argument values such as "java-vm-args" or property "name" and "value" to maintain security. The exact list is up to the individual JNLP Client implementations.

In fact, the Oracle implementation (at least in 7u45) does blacklist the value attribute of the <property/> element -- it cannot be wildcarded. I've been unable to locate any reasoning behind this decision, but there it is.

The webstart work-around allows arbitrary property names as well as values; the applet work-around requires that the names of the properties be known at code-signing time.

Work-around: Webstart

In your JNLP file, include a number of wildcard arguments:

<application-desc main-class="com.example.YourMainClass">
  <argument>*</argument>
  <argument>*</argument>
</application-desc>

In your application's main method, parse these arguments and copy them in to system properties using System.setProperty(), skipping over arguments that still have the literal value "*". I recommend simply splitting each argument on the first occurrence of "=". (If your application already takes regular arguments as well, you'll have to get a bit more creative.)

Work-around: Applet

In your JNLP file, include parameters defining the system properties that need to be set:

<applet-desc main-class="com.example.YourMainClassApplet">
  <param name="SYS_PROPERTY_PARAMETERS" value="prop1,prop2"/>
  <param name="prop1" value="*"/>
  <param name="prop2" value="*"/>
</applet-desc>

In your Applet.init() method, get the value of the SYS_PROPERTY_PARAMETERS parameter, and iterate over it to get the value of each parameter. If it is not the literal "*", copy it to a system property using System.setProperty().

"Insecure Operation" dialog

This is a bug in the Oracle plugin that is triggered by the use of LiveConnect (Java <-> JavaScript interaction).

Work-around: "secure" property prefixes

Prefix all system properties set via <property/> elements in the JNLP with "jnlp.":

<property name="jnlp.my-prop" value="fixed-value"/>

Then in your application's main() or Applet.init() method, iterate over a copy of System.getProperties() and, if the property name starts with "jnlp.", copy its value into a property of the same name with that prefix stripped off. (Iterating over the copy is necessary to avoid a ConcurrentModificationException.)

Gotcha: JNLP template validator considers order of XML attributes

Finally, if your process of filling in the values for the properties could cause attributes of other elements in the JNLP document to be reordered, this may cause the JNLP template validation to fail. (Parsing the JNLP with a DOM parser, filling in the wildcards, and streaming it back out using StreamResult is one way this could happen.) For example, I had these two multi-attribute elements, and the order of the elements had to match:

<jnlp codebase="*" spec="1.0+">
<j2se java-vm-args="-Xms256M -Xmx512M -XX:MaxPermSize=256m" version="1.6+"/>

这篇关于如何通过 JNLP 传递其值可能更改为已签名的 Java RIA(applet、webstart)的任意系统属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！