如何在 jnlp 文件中授予依赖库所有权限? [英] How to grant dependent lib in jnlp file all permissions?
问题描述
我在使用 Java Web Start 时遇到了一个严重的问题,无法解决.情况如下:我有一个 JavaFX 应用程序,编写为 Java8,我想使用 Java WebStart 进行部署.直到最近,我使用 HTTP 与服务器进行通信,并且一切正常.我可以使用嵌入在浏览器中的 Web Start 或作为独立应用程序部署该应用程序.
I have a serious problem with Java Web Start that I can't get my head around. The situation is the following: I have a JavaFX app, written Java8, that I want to deploy using Java WebStart. Until recently I used HTTP for communications with a server, and everthing worked fine. I could deploy the app using Web Start embedded in the browser or as a standalone app.
但是,我现在已将通信更改为使用 WebSockets.为此,我目前正在使用 tyrus 实现.现在问题来了:由于我添加了 tyrus 库,当 tyrus 尝试访问系统属性时,我总是收到 AccessControlException:
However I have now changed the communication to use WebSockets. For this I am currently using the tyrus implementation. And now comes the problem: Since I have added the tyrus lib, I always get an AccessControlException when tyrus tries to access a system property:
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "weblogic.websocket.client.max-aio-threads" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source) ~[na:1.8.0_25]
at java.security.AccessController.checkPermission(Unknown Source) ~[na:1.8.0_25]
at java.lang.SecurityManager.checkPermission(Unknown Source) ~[na:1.8.0_25]
at sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown Source) ~[na:na]
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source) ~[na:1.8.0_25]
at java.lang.System.getProperty(Unknown Source) ~[na:1.8.0_25]
at org.glassfish.tyrus.container.jdk.client.JdkClientContainer.openClientSocket(JdkClientContainer.java:106) ~[na:na]
但是,我可以从我自己的任何类中轻松访问该属性,例如如果我这样做
However I can easily access exactly this property from any of my own classes, e.g. if I do this
logger.info(System.setProperty(ClientManager.WLS_MAX_THREADS, "1"));
logger.info(System.getProperty(ClientManager.WLS_MAX_THREADS));
我得到了预期的结果,没有任何安全问题.
I get the expected result with no security problems.
当然,我已确保所有 jar 都已完全签名,所有 jar 在其 Manifest.MF 文件中都具有 Permissions: all-permissions 标志,并且 jnlp 确实具有所需的 <security><all-permissions/></security> 标签.
Of course I have made sure that all jars are fully signed, all jars have the Permissions: all-permissions flag in their Manifest.MF files, and the jnlp does have the required <security><all-permissions /></security> tag.
除此之外,我还尝试使用 jetty websocket 实现,但这给了我完全相同的问题.
Apart from this I also tried using the jetty websocket implementation, however this gave me exactly the same problems.
那么有人知道为什么 tyrus 代码不能访问与主代码相同的系统属性吗?
So does anybody have an idea why the tyrus code is not able to access the same system property as the main code?
推荐答案
好的,谢谢帮助,终于找到答案了.@Tom Hawtin 的提示给了我正确的线索,我仍然需要在 AccessController.doPrivileged() 中包装对 webSocket.connectToClient() 的调用以获得完全权限依赖代码.
Ok, thanks for the help, I finally found the answer. The hint by @Tom Hawtin gave me the right clue, I still need to wrap the call to webSocket.connectToClient() in AccessController.doPrivileged() to get full rights in the dependent code.
但是我仍然不完全理解为什么不信任带有 Permissions: all-permissions 的签名代码,也许我应该阅读 WebStart 安全模型.
However I still don't fully understand why signed code with Permissions: all-permissions is not trusted, maybe I should read up on the WebStart security model.
好的,在玩了更多并发现更多奇怪的错误之后,我发现了真正的问题:当我将 WebSockets 集成到应用程序中时,我大量使用了 CompleableFuture.xxxAsync() 方法.默认情况下,它们在公共 ForkJoinPool 上运行,如果存在安全管理器(使用 jnpl 的情况很明显),则它们又在特殊线程 (InnocuousForkJoinWorkerThread) 上运行.而那些没有任何权限,这正确地触发了所有这些错误.
Ok, after playing around much more and finding more weird bugs I found the real problem: When I integrated the WebSockets into the application I made heavy use of the CompleableFuture.xxxAsync() methods. And by default those are running on the common ForkJoinPool, which in turn run on special threads (InnocuousForkJoinWorkerThread) if a security manager is present (as is obvious the case using jnpl). And those don't have any permissions whatsoever, which correctly triggered all those errors.
所以解决方案是为 xxxAsync(xxx, executor) 调用使用自定义 Executor.
So the solution is to use a custom Executor for the xxxAsync(xxx, executor) calls.
这篇关于如何在 jnlp 文件中授予依赖库所有权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
