java - Java JRE 混合代码安全，从 JRE 1.6.0_19 开始

Question

Java JRE 混合代码安全性，从 JRE 1.6.0_19 开始，到 2010 年左右，最初使用 JDK/JRE 1.6.0_12 实现、构建和部署了一个主 jar Java Applet；主 jar 和第三方 jar 已签名，一切正常。主 jar java applet 和第三方 jar 可以在 JRE 1.6.0_12 到 JRE 1.6.0_18 中正常工作。

但是，随着从 JRE 1.6.0_19 开始引入混合代码安全性，除非禁用混合代码安全性，否则主 jar 将不会随 JRE 11.6.0_27 一起启动。
我们正在将 JRE 从 1.6.0_12 移动到更新 27。我正在尝试解决这个问题，也就是说，当启用混合代码安全性时，允许签名的主 jar Java 小程序和签名的第三方 jar 启动。

我有一个包含 Java Applet 源代码的主 jar 和几个由主 jar 使用的第三方 jar；例如activation.jar、log4j-1.2.13.jar、ojdbc14.jar等。

在 JDK 1.6.0_27 中使用 keytool.exe，我创建了一个新的密钥库，其中包含 Java 小程序的私钥/公钥对。在 JDK 1.6.0_27 中使用 jarsigner.exe 我成功地用私钥签署了主 jar 和所有第三方 jar；每个 jar 都有一个签名文件 .SF 和一个签名块文件 .DSA（数字签名算法）。我导出了用于验证签名 jar 的公钥。

Java Applet 和第三方 jar 位于 Web 应用程序的 webcontent/applet 目录中，当使用 Web 应用程序启动小程序时，主 jar 和第三方 jar 被下载到用户的计算机中。数字签名部分工作正常，当 JRE 混合代码安全被禁用时，Java 小程序能够启动并成功运行。这仍然没有解决启用时的混合代码安全性。

我尝试将主 jar 部署为 Trusted-Only 和 Trusted-Library。在启用混合代码安全性的两种情况下，主 jar Java Applets 无法启动，我得到不同的异常但结果相同。

Trusted-Only :: Mixed Code Enable
.........................
cache: Mark prevalidated: http://hostname:port/path/main.jar true tm=numbers cert=numbers
security: http://hostname:port/path/main.jar is newly asserting Trusted-Only
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
.........................
.........................
network: Cache entry not found [url: http://hostname:port/path/StatLib.jar, version:     null]
network: Connecting http://hostname:port/path/StatLib.jar with proxy=DIRECT
network: Connecting http://hostname:port/ with proxy=DIRECT
network: Connecting http://hostname:port/path/StatLib.jar with cookie     "CheckboxChecked=Y; JSESSIONID=j_session_id"
network: CleanupThread used 1 us
network: Downloading resource: http://hostname:port/path/StatLib.jar
Content-Length: 62,219
Content-Encoding: null
network: Wrote URL http://hostname:port/path/StatLib.jar to File C:\path\LocalLow\Sun\Java\Deployment\cache\6.0\24\167b0298-1365f142-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
cache: Adding MemoryCache entry: http://hostname:port/path/StatLib.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called 
basic: Plugin2ClassLoader.isTrustedByPolicy returns false 
security: resource name "com/name/statistics/lib/I_Dispatch.class" in     http://hostname:port/path/StatLib.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/StatLib.jar
04/01/2013 16:58:41,588 - [FATAL Thread-15 com.lfg.name.JavaObjectName.init(JavaName.java:193)] - Error in Method() java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/StatLib.jar
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at sun.reflect.GeneratedMethodAccessor11.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.access$100(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
.... Java Applet is calling and loading a class in a third party jar that I signed but for some reason is been treated as unsigned ....
.......................
network: Cache entry not found [url: http://hostname:port/path/ojdbc14.jar, version: null]
network: Connecting http://hostname:port/path/ojdbc14.jar with proxy=DIRECT
network: Connecting http://hostname:port/ with proxy=DIRECT
network: Connecting http://hostname:port/path/ojdbc14.jar with cookie "CheckboxChecked=Y; JSESSIONID=j_session_id"
network: CleanupThread used 1 us
network: Downloading resource: http://hostname:port/path/ojdbc14.jar
Content-Length: 1,448,790
Content-Encoding: null
network: Wrote URL http://hostname:port/path/ojdbc14.jar to File C:\path\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\534fe7f3-21a4d4ae-temp
security: Trusted libraries list file not found
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false}
network: CleanupThread used 1 us
cache: Adding MemoryCache entry: http://hostname:port/path/ojdbc14.jar
basic: Plugin2ClassLoader.isTrustedByPolicy called 
basic: Plugin2ClassLoader.isTrustedByPolicy returns false 
security: resource name "oracle/jdbc/driver/OracleDriver.class" in http://hostname:port/path/ojdbc14.jar : java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/ojdbc14.jar
java.lang.SecurityException: Trusted-Only loader attempted to load sandboxed resource from http://hostname:port/path/ojdbc14.jar
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1500(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
..... java applet is loaded a java class in a third party jar that was signed, but is been treated as untrusted.....

Trusted-Library :: Mixed Code Enable
..............................
cache: Mark prevalidated: http://hostname:port/path/main.jar true tm=numbers cert=numbers
basic: Plugin2ClassLoader.getPermissions CeilingPolicy allPerms
security: Validate the certificate chain using CertPath API
security: The certificate hasnt been expired, no need to check timestamping info
security: Cannot find jurisdiction list file
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
basic: Embedding dialogs not enabled in Configuration
basic: exception: java.lang.NoClassDefFoundError: org/apache/log4j/Logger.
java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter.instantiateApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
at com.path.MainClassApplet.init(MainClassApplet.java:line_number)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at com.sun.deploy.uitoolkit.impl.awt.AWTAppletAdapter$1.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$200(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.awt.EventQueue$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 27 more
Ignored exception: java.lang.RuntimeException: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
basic: Dialog type is not candidate for embedding
basic: Removed progress listener: sun.plugin.util.ProgressMonitorAdapter@40ab5b6c
security: Reset deny session certificate store

主 jar 小程序（富 Internet 应用程序）是使用带有 html 标记的 JavaServer Pages 文件（HTML 页面）中的 JavaScript 代码调用的。

据我了解，JavaScript 代码被视为未签名代码。当从 HTML 页面中的 JavaScript 代码访问已签名的小程序时，已签名的小程序将在安全沙箱中执行。这意味着签名的小程序本质上表现得像一个未签名的小程序。

我正在讨论是否应该将 JNLP 与 Deployment Tookit (deployJava.js) 一起使用来部署小程序，或者是否应该在主 JAR 文件的清单文件中将类添加到主 JAR 文件的类路径；其清单引用了一个不同的 JAR 文件（或几个不同的 JAR 文件），这些文件用作我的 applet 的实用程序。

关于如何解决这个混合代码问题的任何想法？

请指教，谢谢。

Answer 1

我可以确认问题出在最近的 JRE 上。从 JS 调用 Java 会给你一个“混合代码警告”。无论您如何签名或包含或不包含哪个库。所以上面的评论不再正确或不再正确（在最新的 JRE 升级之后，我正在使用 1.7.0_21）。

但幸运的是，它仍然可以毫无问题地从 java do javascript 调用，因此我们针对此类问题的解决方案是实现一个从 applet 轮询的 commad 队列，如下所示：

1) 将对小程序方法的每个调用包装在“请求对象”中并将其放入队列中，例如：

var jobQueue = [];

function hello(message) {
   request =  {
     cmd:"hello",
     arg:"Jack",
     callback:function(result) {
        alert("I'm saying "+result);
     }
   }
   jobQueue.push(request); 
}

2) 创建一个方法，从小程序中调用以获取工作：

function fetchJob(){
  if (jobQueue.length>0) {
     return jobQueue.shift();
  }
}

fetchJob3) 当applet 启动时，产生一个线程或定时器，每X 毫秒调用一次函数。当函数返回非空请求时，小程序就可以执行了。请求甚至可以携带（如上面的示例中）要调用的回调以返回结果

就这样。但请注意：如果您使用回调返回结果，请注意不要返回除本机对象之外的任何内容，否则您将再次收到混合代码警告。即使是字符串数组也不起作用。如果您需要创建更复杂的结果，您需要使用 liveconnect API 回调 javascript，并从 Java Applet 创建一个本机 JS 对象，然后使用它调用回调。

祝你好运！