Java 签署 jnlp 以摆脱安全警告
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20947154/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Signing a jnlp in order to get rid of the Security Warning
提问by ali kerim erkan
I am developing at a company where a jnlp file is used to start a swing web based java application. It has plenty of jars that are downloaded to the client's jvm cache. When I updated my jvm to its currently latest version (build 1.7.0_45-b18) I started seeing the security warning below when I try to run the jnlp file:
我正在一家公司开发,其中 jnlp 文件用于启动基于 Swing Web 的 Java 应用程序。它有很多 jars 下载到客户端的 jvm 缓存。当我将 jvm 更新到其当前最新版本(版本 1.7.0_45-b18)时,当我尝试运行 jnlp 文件时,我开始看到下面的安全警告:
After I saw this error and read this article about signing jnlp files from oracle site( Signing JNLP files) then I added three things to the project:
在我看到这个错误并阅读了这篇关于从 oracle 站点签署 jnlp 文件的文章(签署 JNLP 文件)之后,我在项目中添加了三件事:
- A JNLP-INFfolder including an APPLICATION.JNLPfile into all my jars except third party ones.
- Signing all those jars with the digital certificate+keystore bundle of my own company
- Importing the digital certificate into my trusted Ca certificates of jvm via java control panel.
- 一个JNLP-INF文件夹,包括一个APPLICATION.JNLP文件到我所有的罐子里,除了第三方的罐子。
- 使用我自己公司的数字证书+密钥库包对所有这些 jar 进行签名
- 通过java控制面板将数字证书导入我信任的jvm的Ca证书。
After I did the changes above and tried to run the jnlp file after deployment of new jars I got the following Security warning message from jvm:
在完成上述更改并尝试在部署新 jar 后运行 jnlp 文件后,我从 jvm 收到以下安全警告消息:
As you can see the Security Warning's severity level is changed to a more welcoming level and now the publisher's name is not unknown.It is the name from the certificate. Even if the warning's level is decreased it is still a warning and I dont want my end users to see this everytime. How can I solve this problem?
如您所见,安全警告的严重性级别已更改为更受欢迎的级别,现在发布者的名称并非未知。这是证书中的名称。即使警告的级别降低了,它仍然是一个警告,我不希望我的最终用户每次都看到这个。我怎么解决这个问题?
- Should I try to sign all third part jars as well? If so how can I do it with an Ant command? How can I extract a third party jar and add the JNLP-INF folder in it and then repack it as a jar by using Ant?
- Should I also sign the final myapplication.ear file with a JNLP-INF subfolder in it.This ear file is deployed to jboss server?
- Should I add some extra lines to my META-INF/MANIFEST files in jars?
- Should I be expecting oracle to block my application to run on jvm with this level of warning?
- 我也应该尝试签署所有第三方罐子吗?如果是这样,我怎样才能用 Ant 命令来做到这一点?如何提取第三方 jar 并在其中添加 JNLP-INF 文件夹,然后使用 Ant 将其重新打包为 jar?
- 我还应该签署最终的myapplication.ear 文件,其中包含 JNLP-INF 子文件夹。这个 ear 文件部署到 jboss 服务器吗?
- 我应该在 jars 中的 META-INF/MANIFEST 文件中添加一些额外的行吗?
- 我是否应该期望 oracle 以这种级别的警告阻止我的应用程序在 jvm 上运行?
My JNLP file is this text:
我的 JNLP 文件是这样的:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://10.100.10.9/ikarusdelhitest/" href="ikarus.jnlp">
<information>
<title>Ikarus</title>
<vendor>My Company name</vendor>
<homepage href="http://www.mycompanyname.com" />
<description>My jnlp triggered web based enterprise software</description>
<icon href="ikarus.ico" />
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"
java-vm-args="-Xnoclassgc -Xincgc -client -XX:DefaultMaxRAM=208M -Xms64M -Xmx256M -XX:PermSize=32M -XX:MaxPermSize=128M -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=50" />
<jar href="jars/ikarus/ikarusClient.jar" />
<jar href="jars/ikarus/ikarusDelegators.jar" />
<jar href="jars/ikarus/clientRules.jar" />
<jar href="jars/ikarus/ruleImps.jar" />
<jar href="jars/ikarus/ikarusUtil.jar" />
<jar href="jars/ikarus/ikarusResources.jar" />
<jar href="jars/ikarus/domain.jar" />
<jar href="jars/ikarus/domain_repository.jar" />
<jar href="jars/ikarus/domain_service.jar" />
<jar href="jars/ikarus/app_repository.jar" />
<jar href="jars/ikarus/app_service.jar" />
<jar href="jars/ikarus/infrastructure.jar" />
<jar href="jars/ikarus/integration_domain.jar" />
<jar href="jars/jboss_ejb_auth/ejb3-persistence.jar" />
<jar href="jars/jboss_ejb_auth/jboss-ejb3x.jar" />
<jar href="jars/jboss_ejb_auth/jbossall-client.jar" />
<jar href="jars/jasper/commons-beanutils-1.8.0.jar" />
<jar href="jars/jasper/commons-collections-3.2.1.jar" />
<jar href="jars/jasper/commons-digester-1.7.jar" />
<jar href="jars/jasper/commons-logging-1.1.jar" />
<jar href="jars/jasper/iText-2.1.0.jar" />
<jar href="jars/jasper/jasperreports-3.6.0.jar" />
<jar href="jars/jasper/poi-3.2-FINAL-20081019.jar" />
<property name="jnlp.localization" value="Delhi"/>
</resources>
<application-desc main-class="com.celebi.ikarus.main.Ikarus" />
Thanks for any help/comment/brain storming.
感谢您的任何帮助/评论/头脑风暴。
采纳答案by Andrew Thompson
This JNLP seems to need signing because of java-vm-argsbut realize that most of the memory related options can be specified in a way so that the JNLP does notneed to be signed. I recommend you try that way instead.
这JNLP似乎需要签字,因为java-vm-args但要意识到大多数的内存相关的选项可以在某种程度上,这样的JNLP并指定不会需要签名。我建议您改为尝试这种方式。
回答by foch
I believe you are getting this warning because you are requesting the JNLP to run with full permissions, and the user needs to know about that.
我相信您收到此警告是因为您请求 JNLP 以完全权限运行,而用户需要了解这一点。
If you application doesn't need to access critical resources (for instance write to the hard drive), you can run your application in sandbox mode by replacing the following:
如果您的应用程序不需要访问关键资源(例如写入硬盘驱动器),您可以通过替换以下内容在沙盒模式下运行您的应用程序:
<security>
<all-permissions />
</security>
by
经过
<security>
<sandbox />
</security>
as documented in http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
如http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html 中所述
You can also remove it as sandbox is the default value.
您也可以将其删除,因为沙箱是默认值。
