java jre 7u45中断了classloader.getResources()? [英] java jre 7u45 breaks classloader.getResources()?
问题描述
我有代码迭代classLoader.getResources(META-INF / MANIFEST.MF)的结果,以返回类路径上的jar列表。这从1.6.0_18一直到1.7.0_40都很好。现在1.7.0_45通过显示关于混合签名/未签名代码的安全警告弹出窗口打破了这一点。
I have code to iterate over the results of classLoader.getResources("META-INF/MANIFEST.MF") to return the list of jars on the class path. This worked fine from 1.6.0_18 all the way to 1.7.0_40. Now 1.7.0_45 breaks this by showing a security warning popup about mixed signed/unsigned code.
用于演示问题的小型自包含测试用例:
Small self contained testcase to demonstrate problem:
package testcase;
import java.io.*;
import java.net.*;
import java.util.Enumeration;
import java.util.logging.*;
public class TestCase {
public static void main(String[] args) {
getAllJarUrls();
}
public static void getAllJarUrls() {
try {
final Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
while (mfUrls.hasMoreElements()) {
URL jarUrl = mfUrls.nextElement();
if (!jarUrl.getProtocol().equals("jar")) {
continue;
}
try {
System.out.println(jarUrl.toURI());
} catch (URISyntaxException ex) {
Logger.getLogger("testcase").log(Level.SEVERE, null, ex);
}
}
} catch (IOException e) {
Logger.getLogger("testcase").log(Level.SEVERE, null, e);
}
}
}
用jnlp启动它(用有效证书签名的jar):
Launch this with a jnlp (jar signed with a valid certificate) as:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://localhost/test" href="test.jnlp">
<information>
<title>test</title>
<vendor>test</vendor>
</information>
<security><all-permissions/></security>
<resources>
<jar href="testcase.jar" main="true" download="eager"/>
</resources>
<application-desc main-class="testcase.TestCase"/>
</jnlp>
运行时,让控制台可见,点击5进行详细输出。然后单击安全提示上的阻止以查看异常。单击允许将使代码正常运行, 但这不是可接受的用户体验 。特别是因为我们的应用程序必须能够在没有用户输入的情况下启动。
When run, have the console visible, and hit '5' for verbose output. then click 'block' on the security prompt to see the exception. Clicking allow will let the code run normally, but this is not an acceptable user experience. especially since our application has to be able to start without user input.
1.7.0_45下的输出如下:
Output under 1.7.0_45 is as follows:
CacheEntry[http://localhost/test/testcase.jar]: updateAvailable=true,lastModified=Tue Oct 15 21:09:21 CDT 2013,length=6314
jar:file:/C:/jre32/1.7.0_45/lib/javaws.jar!/META-INF/MANIFEST.MF
jar:file:/C:/jre32/1.7.0_45/lib/deploy.jar!/META-INF/MANIFEST.MF
jar:file:/C:/jre32/1.7.0_45/lib/plugin.jar!/META-INF/MANIFEST.MF
jar:file:/C:/jre32/1.7.0_45/lib/deploy.jar!/META-INF/MANIFEST.MF
Trace level set to 5: all ... completed.Trace level set to 5: all ... completed.
security: resource name "META-INF/MANIFEST.MF" in http://localhost/test/testcase.jar : java.lang.SecurityException: trusted loader attempted to load sandboxed resource from http://localhost/test/testcase.jar
testcase.jar已签名。它甚至包含所有新的清单属性:
应用程序名称:testcase
权限:所有权限
代码库:*
The testcase.jar is signed. It even has all the new manifest attributes included: Application-Name: testcase Permissions: all-permissions Codebase: *
从7u40到7u45的deploy.jar中反编译的CPCallBackHandler的差异显示出显着的变化。看起来LiveConnect的更改已经破坏了现有的功能。不,这里没有涉及LiveConnect。
A diff of the decompiled CPCallBackHandler from deploy.jar from 7u40 to 7u45 shows significant changes. It looks like the changes for LiveConnect have borked the existing functionality. And no, there's no LiveConnect involved here.
是否有其他人遇到此问题?建议解决方法?提交错误?
Has anyone else run into this? Suggestions for a workaround? File a bug?
(注意:也发布在OTN java论坛上,但我希望在这里有更快的答案:)。
(note: also posted on the OTN java forums, but I'm hoping for a faster answer here :).
谢谢,
Chris
Thanks, Chris
推荐答案
将此添加到jar的清单中: / p>
Add this to the manifest of the jar:
Trusted-Library: true
记录这里。
这篇关于java jre 7u45中断了classloader.getResources()?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
