Java Applet 安全警告“JAR 文件清单不包含权限属性”是什么意思?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19564481/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does the Java Applet security warning "JAR file manifest does not contain the Permissions attribute"mean?
提问by koalabruder
I have a Java Applet which needs access to the local filesystem of the client. I have created a simple certificate for my own (it is NOT certified by Verisign,Commodo, ...). I signed the jar with the following template:
我有一个 Java Applet,它需要访问客户端的本地文件系统。我为我自己创建了一个简单的证书(它未经 Verisign、Commodo 等认证)。我使用以下模板为 jar 签名:
del \Users\koalabruder\.keystore
"C:\Program Files\Java\jdk1.7.0_45\bin\keytool" -genkey -alias %1 -keypass kp -dname "cn=inin" -storepass ab987c
"C:\Program Files\Java\jdk1.7.0_45\bin\jarsigner.exe" -storepass abc -keypass kp %2 %1
"C:\Program Files\Java\jdk1.7.0_45\bin\keytool" -export -storepass abc -alias %1 -file %3
The simple security warning that I have "no signed certificate" has been in existence for years and is not my problem.
我“没有签名证书”的简单安全警告已经存在多年,不是我的问题。
My problem is, that the security warning changedbecause one of the last Java updates:
我的问题是,由于最后一次 Java 更新,安全警告发生了变化:
This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more Information.
此应用程序将在未来的 Java 安全更新中被阻止,因为 JAR 文件清单不包含 Permissions 属性。请联系出版商了解更多信息。
What does it mean? How can I fix it? Do I have to buy a certificate? Do I have to fix the Manifest (MANIFEST.MF)? What is the Permission attribute?
这是什么意思?我该如何解决?一定要买证书吗?我是否必须修复清单 (MANIFEST.MF)?什么是权限属性?
Update:Here is my Manifest from the jar file
更新:这是我的 jar 文件清单
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.4
Application-Name: inin
Permissions: all-permissions
Created-By: 1.7.0_45-b18 (Oracle Corporation)
Name: net/inin/transfer/ul/UlPanel.class
SHA-256-Digest: asdfasddddddddddddddddddddddddddddddddd=
回答by jzd
You don't need to buy a certificate, just fix the manifest file.
您无需购买证书,只需修复清单文件即可。
Add this line:
添加这一行:
permissions: all-permissions
Or this line if you need only limited access:
或者,如果您只需要有限的访问权限,请使用此行:
permissions: sandbox
回答by Maher Abuthraa
In Netbeans I noted that manifest file is generated during build ..so briefly what I have done to fix this issue to include my manifest attributes inside that template which is responsible for generating manifest.
在 Netbeans 中,我注意到清单文件是在构建过程中生成的……所以我做了什么来解决这个问题,以将我的清单属性包含在负责生成清单的模板中。
To do so follow these steps :
为此,请执行以下步骤:
1- Open this file with any editor: (PATH)\nbproject\jfx-impl.xml
(PATH): is the path of your project.
1- 使用任何编辑器打开此文件: (PATH)\nbproject\jfx-impl.xml
(PATH): 是您的项目路径。
2- Search for : "// manifest". mine looks like:
2- 搜索:“// 清单”。我的看起来像:
// manifest
var man = jar.createManifest();
var a1val = project.getProperty("application.vendor");
var a1 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
a1.setName("Implementation-Vendor");
a1.setValue(a1val);
man.addConfiguredAttribute(a1);
var a2val = project.getProperty("application.title");
var a2 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
a2.setName("Implementation-Title");
a2.setValue(a2val);
man.addConfiguredAttribute(a2);
var a3 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
a3.setName("Implementation-Version");
a3.setValue("1.0");
man.addConfiguredAttribute(a3);
//******insert your Attributes code here*******
jar.perform();
3- Under "//*insert your Attributes here**", you can insert your own manifest attributes code, in my situation its enough to include codebase, and permissions.. you can use my code as well:
3- 在“// *在此处插入您的属性**”下,您可以插入您自己的清单属性代码,在我的情况下,它足以包含代码库和权限..您也可以使用我的代码:
...
//******insert your Attributes here*******
var a50 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
a50.setName("permissions");
a50.setValue("all-permissions");
man.addConfiguredAttribute(a50);
var a51 = new org.apache.tools.ant.taskdefs.Manifest.Attribute();
a51.setName("codebase");
a51.setValue("*");
man.addConfiguredAttribute(a51);
...
4- Then build and you wont see that warning again.
4-然后构建,您将不会再看到该警告。
Some notes:
一些注意事项:
I strongly recommend to check the manifest attributes documentation which relates to security @ http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html
dont use the wildcard "*" value in codebase, and it will be better to use https instead of http for security sake :-) I am using it for developing only.
我强烈建议检查与安全相关的清单属性文档@ http://docs.oracle.com/javase/tutorial/deployment/jar/secman.html
不要在代码库中使用通配符“*”值,为了安全起见,最好使用 https 而不是 http :-) 我仅将它用于开发。
good luck,'.
祝你好运,'。
回答by Thomas Heckmann
I ran into the same problem and changing my manifest did not fix it.
我遇到了同样的问题,更改我的清单并没有解决它。
Finally I found out, that I referenced a library which came in its own jar with its own manifest. I was using a copy of that jar-file that did not have Permissions and Codebase.
最后我发现,我引用了一个带有自己清单的 jar 库。我正在使用那个没有权限和代码库的 jar 文件的副本。
So, if you reference any libraries except the JRE System library, check the manifest in the jar file (e.g. by opening it with 7zip). If it does not contain the attributes, you can:
因此,如果您引用除 JRE 系统库之外的任何库,请检查 jar 文件中的清单(例如,通过使用 7zip 打开它)。如果它不包含属性,您可以:
- check, if the manufacturer has a new version. He might have noticed the problem by now.
- Unzip the jar file, edit the manifest and jar it again, or
- Merge the library with your own jar.
- 检查制造商是否有新版本。他现在可能已经注意到了这个问题。
- 解压 jar 文件,编辑清单并再次 jar,或者
- 将库与您自己的 jar 合并。
For the last two, check the license under which the library is published. Maybe you are not allowed to manipulate the product this way.
对于最后两个,请检查发布库所依据的许可证。也许您不被允许以这种方式操纵产品。
回答by user1430808
I've met this warning while updating the signature on a pre-existing applet (a component that interfaces a user smartcard, and so to work correctly requires to be signed with a "strong" certificate).
我在更新预先存在的小程序(连接用户智能卡的组件,因此需要使用“强”证书签名才能正常工作)上的签名时遇到此警告。
Adding also the codebase attribute, e.g: "Codebase: xyz.com" actually makes the warning disappear (note that the original warning text was refering, as in this case, to issues related to the "Permission" attribute not the codebase one...).
还添加代码库属性,例如:“代码库:xyz.com”实际上使警告消失(请注意,原始警告文本在本例中指的是与“权限”属性相关的问题,而不是代码库属性。 .)
It's probably a bug in the jre?
这可能是jre中的一个错误?
