JSE 1.8,Sandbox Java Applet通过HTTPS加载,但是使用HTTP检索了crossdomain.xml [英] JSE 1.8, Sandbox Java Applet loaded over HTTPS, but crossdomain.xml retrieved using HTTP
问题描述
大家好,所有Java / Applet大师,
Hi all Java/Applet gurus,
我偶然发现了最新JDK版本(1.8.0_b26)的一个有趣问题。
I've stumbled upon an interesting problem with the latest JDK build (1.8.0_b26).
当使用最新的JDK运行Sandbox Java Applet时,我们尝试使用不同的协议连接回服务器 - 而不是原始的HTTPS我们使用WSS(安全的Websockets连接,我们使用)第三方Websockets客户端Java库)。结果,JVM尝试从服务器检索 crossdomain.xml 文件。问题是,使用HTTP(而不是HTTPS)协议检索文件。
When running Sandbox Java Applet with the latest JDK, from within Java code we try to connect back to the server with a different protocol - instead of original HTTPS we use WSS (secured Websockets connection, we use third party Websockets Client Java library). As the result, JVM tries to retrieve crossdomain.xml file from the server. The problem is, that the file is retrieved using HTTP (and not HTTPS) protocol.
例如,在我们的例子中,服务器IP是192.168.1.1,applet是通过HTTPS默认端口(443)加载的。在Java控制台中使用跟踪级别5,我们看到从 http://192.168.1.1:443 crossdomain.xml C>。当然它不起作用,因为服务器只侦听端口443(而不是HTTP)上的HTTPS连接。
For example, in our case the server IP is 192.168.1.1, the applet is loaded over HTTPS default port (443). Using trace level 5 in Java console we see that the crossdomain.xml is retrieved from http://192.168.1.1:443. And of course it doesn't work because the server listens only for HTTPS connections on port 443 (and not HTTP).
另一方面,当我们使用HTTP协议时并且向服务器打开新的WS(不安全的Websockets连接),问题没有出现,因为从 http://192.168.1.1:80 检索了crossdomain.xml,这是完全正确的。
On the other hand, when we use HTTP protocol and open new WS (unsecured Websockets connection) to the server, the problem doesn't appear, because crossdomain.xml is retrieved from http://192.168.1.1:80 and it is completely correct.
随着问题的进一步调查,我们进行了更多的观察:
As the problem was further investigated, we've made few more observations:
-
可以使用
jnlp.altCrossDomainXMLFiles crossdomain.xml文件的替代位置c> Java VM参数。我们永远不会成功使这个参数适用于我们(在java_arguments列表和单独的applet参数中都尝试过)。可能的原因可能是该参数仅应与Webstart应用程序一起使用(尽管它不是专门针对规范编写的)。
It is possible to provide alternative location of
crossdomain.xmlfile usingjnlp.altCrossDomainXMLFilesJava VM parameter. We've never succeed to make this parameter work for us though (tried both in java_arguments list and as lone applet parameter). The possible reason might be that the parameter should be used only with Webstart application (although it is not written specifically in specs).
在建立Websockets连接时,连接堆栈跟踪如下:
While establishing Websockets connection, the connection stack trace is as follows:
at sun.net.www.http。 HttpClient.parseHTTPHeader(HttpClient.java:790)at
sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)at
sun.net.www.http.HttpClient.parseHTTPHeader( HttpClient.java:787)at
sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647)at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection。 java:1534)
at
sun.net.www.protocol.http.HttpURLConnection.access $ 200(HttpURLConnection.java:90)
at
sun.net.www.protocol .http.HttpURLConnection $ 9.run(HttpURLConnection.java:1431)
at
sun.net.www.protocol.http.HttpURLConnection $ 9.run(HttpURLConnection.java:1429)
at java 。安全。
的AccessController.doPrivileged(Native Method)java.security.AccessController.doPrivileged(AccessController.java:713)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection) .java:1428)
at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)at
com.sun.deploy.net.CrossDomainXML.check(Unknown Source)at
sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(未知
来源)
sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(未知
来源)
sun.nio.ch. SocketChannelImpl.connect(SocketChannelImpl.java:624)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:790) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:787) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:647) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1534) at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90) at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1431) at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1429) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessController.doPrivileged(AccessController.java:713) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1428) at com.sun.deploy.net.CrossDomainXML.check(Unknown Source) at com.sun.deploy.net.CrossDomainXML.check(Unknown Source) at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source) at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source) at sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:624)
所以我们查看了CrossDomainXML.java类的最新公开源代码(返回从2010年开始)。从代码中可以看出,无论原始浏览器连接是什么,从服务器检索 crossdomain.xml 文件时都会使用http连接。
So we looked at the latest publicly available source code of CrossDomainXML.java class (back from 2010 though). And from the code it is evident, that http connection is always used while retrieving crossdomain.xml file from server, regardless what is the original browser connection.
所以问题是:
-
可能是JDK错误或严格使用
crossdomain.xml的HTTP是否符合设计?
Might it be a JDK bug or the strict usage of HTTP for
crossdomain.xmlis by design?
jnlp.altCrossDomainXMLFiles Sandbox小程序内支持JVM参数?
Is jnlp.altCrossDomainXMLFiles JVM parameter supported inside Sandbox applet?
有没有办法访问最新版本的 com.sun .deploy.net.CrossDomainXML.java 源代码,以全面了解正在发生的事情?
Is there a way access the latest version of com.sun.deploy.net.CrossDomainXML.java source code to get a full picture of what is going on?
非常感谢您提前。
祝你好运,
马克
Best regards, Mark
推荐答案
我们在init-process早期的applet中使用它(applet构造函数)并且它可以工作:
We use it like this in an applet early in the init-process (applet constructor) and it works:
try
{
System.setProperty("jnlp.altCrossDomainXMLFiles", //
"http://www.some-domain.de/crossdomain.xml" //
+ ",https://www.secure-domain.de:8443/crossdomain.xml" //
);
}
catch (Exception e)
{
e.printStackTrace();
}
这篇关于JSE 1.8,Sandbox Java Applet通过HTTPS加载,但是使用HTTP检索了crossdomain.xml的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
