Java 弹出窗口说应用程序包含未签名和签名的代码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16069233/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java popup saying applications contains both unsigned and signed code
提问by user1216750
I am using Mac 10.7 running Java 1.7.0_21. I am trying to run a Java applet application that is signed and towards the end of the application I get a mixed mode security popup saying "Block potentially unsafe components from being run?". All the jars that I am using are signed.
我正在使用运行 Java 1.7.0_21 的 Mac 10.7。我正在尝试运行一个已签名的 Java 小程序应用程序,在应用程序结束时,我收到一个混合模式安全弹出窗口,提示“阻止运行可能不安全的组件?”。我使用的所有罐子都已签名。
I am able to run the same applet application on Mac 10.6 running Java 6 and I don't get the mixed mode warning. I am also able to run the application on windows without the mixed mode warning coming up.
我能够在运行 Java 6 的 Mac 10.6 上运行相同的小程序应用程序,但我没有收到混合模式警告。我还可以在 Windows 上运行该应用程序,而不会出现混合模式警告。
Why do I get this keep getting this error when all my jars are signed?
为什么我的所有 jars 都已签名时会不断收到此错误?
I googled mixed mode warning and found this link.
我在谷歌上搜索了混合模式警告并找到了这个链接。
http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#manifest
http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#manifest
and after reading this link, I am a little confused. According to this link it looks like I need to have either "Trusted-Only" or "Trusted-Library" attribute mentioned inside my manifest file. I looked at my manifest file and they don't have these attributes so should I put them in or just the fact that the jars is signed should have been enough.
阅读此链接后,我有点困惑。根据此链接,我的清单文件中似乎需要提及“仅受信任”或“受信任的库”属性。我查看了我的清单文件,他们没有这些属性,所以我应该把它们放进去,或者只是罐子被签名的事实就足够了。
Can someone please help me understand why I am getting this error even when everything is signed?
有人可以帮助我理解为什么即使在所有内容都已签名后仍会收到此错误吗?
回答by vip
Update 21of Java 7 is a strong security update that brings a certain number of breaking changes.
Java 7 的更新 21是一个强大的安全更新,带来了一定数量的破坏性更改。
You should have a look to its release notes, there are two paragraphs and two known issues related to signed jars.
你应该看看它的发行说明,有两个段落和两个与签名 jars 相关的已知问题。
Your problem consists in this one:
你的问题在于这个:
Area: deploy/plugin
Synopsis: Security popup while closing application
Starting in JDK 7u21, JavaScript code that calls code within a signed applet running with all permissions is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the
Trusted-Library=trueattribute. See Mixing Code With Permissions and Code Without Permissions(doc link)'.For a signed applet running with all permissions to JavaScript call, no security dialog (with mixed code warning) should pop up. However mixed code warning is being shown in some scenarios.
区域:部署/插件
概要:关闭应用程序时的安全弹出窗口
从 JDK 7u21 开始,在以所有权限运行的签名小程序中调用代码的 JavaScript 代码被视为混合代码,如果签名的 JAR 文件没有用
Trusted-Library=true属性标记,则会引发警告对话框。请参阅混合有权限的代码和无权限的代码(文档链接)'。对于以 JavaScript 调用的所有权限运行的签名小程序,不应弹出安全对话框(带有混合代码警告)。但是,在某些情况下会显示混合代码警告。
The good news: there is a workaround:
好消息:有一个解决方法:
As a workaround, if the applet jar is running with all-permissions and uses "Trusted-library:true" attribute as manifest entry, the mixed code warning will not popup.
作为一种解决方法,如果小程序 jar 以全权限运行并使用“Trusted-library:true”属性作为清单条目,则不会弹出混合代码警告。
回答by Bryan
The best fix is using the Trusted-Library=true, however, if you cannot get this to work for some reason you can also change how the computer handles mixed security applets.
最好的解决方法是使用Trusted-Library=true.
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/properties.html
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/properties.html
Create the follow file on the user's workstation. C:\Windows\Sun\Java\Deployment\deployment.properties
在用户的工作站上创建跟随文件。 C:\Windows\Sun\Java\Deployment\deployment.properties
In the file add the following line:
deployment.security.mixcode="HIDE_RUN"
在文件中添加以下行:
deployment.security.mixcode="HIDE_RUN"
This will tell Java to hide the security warning and run the applet whenever there's a mixed code condition. Also, on the release notes it says:
这将告诉 Java 隐藏安全警告并在出现混合代码情况时运行小程序。此外,在发行说明中,它说:
As of JDK 7u21, JavaScript code that calls code within a privileged applet is treated as mixed code and warning dialogs are raised if the signed JAR files are not tagged with the Trusted-Library attribute.
For more information, see Mixing Privileged Code and Sandbox Code documentation.
The JDK 7u21 release enables users to make more informed decisions before running Rich Internet Applications (RIAs) by prompting users for permissions before an RIA is run. These permission dialogs include information on the certificate used to sign the application, the location of the application, and the level of access that the application requests. For more information, see User Acceptance of RIAs.
从 JDK 7u21 开始,在特权小程序中调用代码的 JavaScript 代码被视为混合代码,如果签名的 JAR 文件没有使用 Trusted-Library 属性标记,则会引发警告对话框。
有关更多信息,请参阅混合特权代码和沙盒代码文档。
JDK 7u21 版本通过在运行 RIA 之前提示用户提供权限,使用户能够在运行富 Internet 应用程序 (RIA) 之前做出更明智的决定。这些权限对话框包括有关用于签署应用程序的证书、应用程序的位置以及应用程序请求的访问级别的信息。有关详细信息,请参阅用户对 RIA 的接受程度。
FYI, JRE 6u19 if an applet contains both privileged components and sandbox components, warning dialogs are shown.
仅供参考,JRE 6u19 如果小程序同时包含特权组件和沙箱组件,则会显示警告对话框。
回答by tdee
I also have an applet that generated this security warning starting with JRE 1.7.0_21.
我还有一个从 JRE 1.7.0_21 开始生成此安全警告的小程序。
Here is what I have learned. The "Trusted-Only: true" you would put in your applet manifest if you do not want the user to be asked if he will allow the call to another signed jar. The call will be blockedwithout the security warning. The "Trusted-Library: true" you add to the jar that you are calling. If this is in the jar's manifest and the jar is signed then when your applet calls it there will be no security warning and the call will not be blocked.
这是我所学到的。如果您不希望用户被问及是否允许调用另一个签名的 jar,您可以将“Trusted-Only: true”放入您的小程序清单中。呼叫将在没有安全警告的情况下被阻止。您添加到您正在调用的 jar 中的“可信库:真实”。如果这是在 jar 的清单中并且 jar 已签名,那么当您的小程序调用它时,将不会有安全警告并且不会阻止调用。
My applet uses the swing-layout-1.0.4.jar. To solve the problem I had to add the "Trusted-Library: true" to the swing-layout-1.0.4.jar. You should be able to do this by using the jar.exe application in the JDK.
我的小程序使用swing-layout-1.0.4.jar。为了解决这个问题,我不得不将“Trusted-Library: true”添加到swing-layout-1.0.4.jar。您应该能够通过使用 JDK 中的 jar.exe 应用程序来完成此操作。
jar vcmf swing-layout-1.0.4a.jar MyManifest.mf swing-layout-1.0.4.jar
jar vcmf swing-layout-1.0.4a.jar MyManifest.mf swing-layout-1.0.4.jar
MyManifest.mf is a text file containing "Trusted-Library: true". The space between the : and true is important and you must have a carriage return at the end of the line.
MyManifest.mf 是一个包含“Trusted-Library: true”的文本文件。: 和 true 之间的空格很重要,您必须在行尾有一个回车符。
For some reason I could not get this to work so I rebuilt swing-layout using netbeans. The sources for swing-layout-1.0.4 are part of the netbeans install (under platform). I unzipped it opened it as a project. Under files I changed the manifest file to have the magic line (again it is important to have the space after the : and a blank line at the end of the manifest file) and hit the build. I then signed the jar and no more security warning.
出于某种原因,我无法使其正常工作,因此我使用 netbeans 重建了摆动布局。Swing-layout-1.0.4 的源代码是 netbeans 安装(在平台下)的一部分。我解压缩它作为一个项目打开它。在文件下,我将清单文件更改为具有魔术行(同样,在 : 之后留有空格很重要,清单文件末尾有一个空行)并点击构建。然后我签署了 jar 并且没有更多的安全警告。
I hope this helps or at least points you in the right direction
我希望这会有所帮助或至少为您指明正确的方向
回答by user1216750
Thank you all for your replies. I tried adding Trusted-Library=true on a small sample and it seems to work. So now I will be trying to trying update the manifest file of all my jars. And since we use ant I will doing the following
谢谢大家的回复。我尝试在一个小样本上添加 Trusted-Library=true ,它似乎有效。所以现在我将尝试更新我所有 jars 的清单文件。由于我们使用蚂蚁,我将执行以下操作
<jar update="true" jarfile="${deploy.dir}/javaApp.jar">
<manifest>
<attribute name="Trusted-Library" value="true" />
</manifest>
</jar>
to update the manifest files.
更新清单文件。
