java jre 7u45 中断 classloader.getResources()? [英] java jre 7u45 breaks classloader.getResources()?
问题描述
我有代码来迭代 classLoader.getResources("META-INF/MANIFEST.MF") 的结果以返回类路径上的 jar 列表.这从 1.6.0_18 一直到 1.7.0_40 都运行良好.现在 1.7.0_45 通过显示有关混合签名/未签名代码的安全警告弹出窗口打破了这一点.
I have code to iterate over the results of classLoader.getResources("META-INF/MANIFEST.MF") to return the list of jars on the class path. This worked fine from 1.6.0_18 all the way to 1.7.0_40. Now 1.7.0_45 breaks this by showing a security warning popup about mixed signed/unsigned code.
用于演示问题的小型自包含测试用例:
Small self contained testcase to demonstrate problem:
package testcase;
import java.io.*;
import java.net.*;
import java.util.Enumeration;
import java.util.logging.*;
public class TestCase {
public static void main(String[] args) {
getAllJarUrls();
}
public static void getAllJarUrls() {
try {
final Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
while (mfUrls.hasMoreElements()) {
URL jarUrl = mfUrls.nextElement();
if (!jarUrl.getProtocol().equals("jar")) {
continue;
}
try {
System.out.println(jarUrl.toURI());
} catch (URISyntaxException ex) {
Logger.getLogger("testcase").log(Level.SEVERE, null, ex);
}
}
} catch (IOException e) {
Logger.getLogger("testcase").log(Level.SEVERE, null, e);
}
}
}
使用 jnlp(使用有效证书签名的 jar)启动:
Launch this with a jnlp (jar signed with a valid certificate) as:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://localhost/test" href="test.jnlp">
<information>
<title>test</title>
<vendor>test</vendor>
</information>
<security><all-permissions/></security>
<resources>
<jar href="testcase.jar" main="true" download="eager"/>
</resources>
<application-desc main-class="testcase.TestCase"/>
</jnlp>
运行时,让控制台可见,并点击5"以获得详细输出.然后单击安全提示上的阻止"以查看异常.单击允许将使代码正常运行,但这不是可接受的用户体验.特别是因为我们的应用程序必须能够在没有用户输入的情况下启动.
When run, have the console visible, and hit '5' for verbose output. then click 'block' on the security prompt to see the exception. Clicking allow will let the code run normally, but this is not an acceptable user experience. especially since our application has to be able to start without user input.
1.7.0_45下输出如下:
Output under 1.7.0_45 is as follows:
CacheEntry[http://localhost/test/testcase.jar]: updateAvailable=true,lastModified=Tue Oct 15 21:09:21 CDT 2013,length=6314
jar:file:/C:/jre32/1.7.0_45/lib/javaws.jar!/META-INF/MANIFEST.MF
jar:file:/C:/jre32/1.7.0_45/lib/deploy.jar!/META-INF/MANIFEST.MF
jar:file:/C:/jre32/1.7.0_45/lib/plugin.jar!/META-INF/MANIFEST.MF
jar:file:/C:/jre32/1.7.0_45/lib/deploy.jar!/META-INF/MANIFEST.MF
Trace level set to 5: all ... completed.Trace level set to 5: all ... completed.
security: resource name "META-INF/MANIFEST.MF" in http://localhost/test/testcase.jar : java.lang.SecurityException: trusted loader attempted to load sandboxed resource from http://localhost/test/testcase.jar
testcase.jar 已签名.它甚至包括所有新的清单属性:应用程序名称:测试用例权限:所有权限代码库:*
The testcase.jar is signed. It even has all the new manifest attributes included: Application-Name: testcase Permissions: all-permissions Codebase: *
从 deploy.jar 反编译的 CPCallBackHandler 从 7u40 到 7u45 的差异显示出重大变化.LiveConnect 的更改似乎使现有功能失效.不,这里不涉及 LiveConnect.
A diff of the decompiled CPCallBackHandler from deploy.jar from 7u40 to 7u45 shows significant changes. It looks like the changes for LiveConnect have borked the existing functionality. And no, there's no LiveConnect involved here.
有没有其他人遇到过这种情况?解决方法的建议?提交错误?
Has anyone else run into this? Suggestions for a workaround? File a bug?
(注意:也张贴在 OTN java 论坛上,但我希望在这里能得到更快的答复:).
(note: also posted on the OTN java forums, but I'm hoping for a faster answer here :).
谢谢,克里斯
推荐答案
将此添加到 jar 的清单中:
Add this to the manifest of the jar:
Trusted-Library: true
记录在此处.
这篇关于java jre 7u45 中断 classloader.getResources()?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
