23

Thanks to Oracle's latest changes, it appears I have to sign an applet even though I don't need or want it to have unrestricted access to the user's computer (which is why its currently unsigned). In particular, I don't want the warning they show for signed applets:

This application will run with unrestricted access which may put your computer and personal information at risk.

...which will scare the people using it.

Is it possible to sign an applet but mark it in some way to say "but keep using the sandbox"?

The only reason I'm signing it is that as of Version 7, Update 40, Oracle has further increased the nagging users have to deal with when running unsigned applets. It used to be that you could check a box saying you trusted an applet once, and that would be remembered. As of Update 40, it's only remembered for that browser session; the warning reappears if you close the browser and come back later. They've also said they're going to disable unsigned applets entirely in "a future version" of the Java plug-in.

4

1 回答 1

17

是的你可以。这个页面展示了如何做(嗯,大部分;你也需要这个页面)。主要有两个步骤:

  1. PermissionsCodebase属性放在清单文件中:

    权限:沙盒
 代码库:*.myserver.com

    这些新属性是在 Java 7 Update 25 中引入的,并在此处讨论。上面链接的第一页只显示Codebase: myserver.com,但大多数网站都需要上面的通配符。(我不知道Codebase对小程序进行沙箱化是否需要该属性,但无论如何对于大多数已签名的小程序来说,这似乎都是一个好主意。)

    然后在构建 jar 时使用该清单文件,例如:

    jar cvfm YourJarFile.jar your_manifest_file.txt classes_and_such

    这些属性最终会出现在 jar 中的 MANIFEST.MF 文件中,该文件告诉 Java 运行时将小程序保持在沙盒中。

  2. 在您的<applet>标签中,您必须指定permissions参数,如此处所述

    <applet 代码='yourAppletClass' 存档='YourJarFile.jar'>
     <param name="permissions" value="sandbox">
 </小程序>

    如果没有这第二步,则会阻止在 jar 中请求沙盒权限但不请求标记的签名小程序运行,并显示标题为“无法运行应用程序”的对话框,给出“原因:请求仅在沙盒中运行的 JAR 清单”。

如果您执行上述两个步骤,用户会收到更令人放心的消息(并且可能小程序仍处于沙盒状态):

此应用程序将以有限的访问权限运行,旨在保护您的计算机和个人信息。

...如果他们选中信任发布者和位置的相关复选框,那么当他们下次打开浏览器并运行您的小程序时,他们就不会再看到它了。

(在提出这个问题的过程中,我找到了答案,但由于答案不在 Stack Overflow 上,我想我会继续发布问题和答案。)

于 2013-09-25T16:47:34.350 回答