1

我目前正在运行我的 JNLP,在 Java 控制台中,我看到对于某些 jar 文件,它请求了两次权限。由于我的 jar 有一个受信任的证书,它会导致证书检查请求发送两次。以下是我在 Java 控制台中看到的

security: JAVAWS AppPolicy Permission requested for: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
ruleset: finding Deployment Rule Set for   
        title: Xpert.ivy Rich Internet Application  
        location: http://192.168.72.72:8061/ivy/pro/System/Administration/1419CBE3AAB8C361.jws.jnlp;jsessionid=EF178D8454450E00CC95762C3869DD3A  
        main location: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
        main version: null  
        isArtifact: true  
ruleset: no rule applies, returning Default Rule  
Missing Codebase manifest attribute for: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
security: Istrusted: http://192.168.72.72:8061/ivy/pro/System/Administration/1419CBE3AAB8C361.jws.jnlp;jsessionid=EF178D8454450E00CC95762C3869DD3A false  
Missing Codebase manifest attribute for: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
security: Validate the certificate chain using CertPath API  
security: SHA-256Certificate finger print: FCB73268A88D254A997683F535ACA1E3F05E8538B82FFE5F0E3F3E71E9EF81B6  
security: SHA-256Certificate finger print: 235C96A2E2DA557B904E90F3A0CAA57EABB4BDB5F401969DA8C282F60839568F  
security: SHA-256Certificate finger print: A45EDE3BBBF09C8AE15C72EFC07268D693A21C996FD51E67CA079460FD6D8873  
security: The OCSP support is enabled  
security: The CRL support is enabled  
security: Skipping revocation check, not publisher cert  
network: Connecting http://ocsp.quovadisglobal.com/ with proxy=DIRECT  
security: OCSP Response: GOOD  
security: Certificate validation succeeded using OCSP/CRL  
security: Grant socket perm for http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar : java.security.Permissions@64424952 (  
 ("java.net.SocketPermission" "192.168.72.72" "connect,accept,resolve")  
)  
security: JAVAWS AppPolicy Permission requested for: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
ruleset: finding Deployment Rule Set for   
        title: Xpert.ivy Rich Internet Application  
        location: http://192.168.72.72:8061/ivy/pro/System/Administration/1419CBE3AAB8C361.jws.jnlp;jsessionid=EF178D8454450E00CC95762C3869DD3A  
        main location: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
        main version: null  
        isArtifact: true  
ruleset: no rule applies, returning Default Rule  
Missing Codebase manifest attribute for: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
security: Istrusted: http://192.168.72.72:8061/ivy/pro/System/Administration/1419CBE3AAB8C361.jws.jnlp;jsessionid=EF178D8454450E00CC95762C3869DD3A false  
Missing Codebase manifest attribute for: http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar  
security: Validate the certificate chain using CertPath API  
security: SHA-256Certificate finger print: FCB73268A88D254A997683F535ACA1E3F05E8538B82FFE5F0E3F3E71E9EF81B6  
security: SHA-256Certificate finger print: 235C96A2E2DA557B904E90F3A0CAA57EABB4BDB5F401969DA8C282F60839568F  
security: SHA-256Certificate finger print: A45EDE3BBBF09C8AE15C72EFC07268D693A21C996FD51E67CA079460FD6D8873  
security: The OCSP support is enabled  
security: The CRL support is enabled  
security: Skipping revocation check, not publisher cert  
network: Connecting http://ocsp.quovadisglobal.com/ with proxy=DIRECT  
security: OCSP Response: GOOD  
security: Certificate validation succeeded using OCSP/CRL  

您可以看到对 jar 文件的 JAVAWS AppPolicy Permission 请求两次(从第 26-45 行开始,它们与第 1-21 行相同)。

我自己的任务是导致问题的原因是这条线

security: Grant socket perm for http://192.168.72.72:8061/ivy/rdlib/syntheticaAddons-1.226.jar : java.security.Permissions@64424952 (  
 ("java.net.SocketPermission" "192.168.72.72" "connect,accept,resolve")  
)  

对于其他一些 jar 文件,上面的行(对于 Grant socket perm)没有出现,所以这个文件只检查了一次。

在这种情况下,我现在更新到 JRE 7 更新 40,在 Java 控制面板中,我启用了“混合代码(沙盒与可信)安全验证”

然后我尝试禁用“混合代码(沙盒与可信)安全验证”,然后:

  • 检查 1 次的 jar 文件(在上述情况下)不再检查权限。
  • 检查了两次的jar文件(上述情况)还是检查了1次(而且“security:Grant socket perm...”依然出现)

这里可能是什么问题?这是一个安全错误还是我的 jars 或 JNLP 有问题?

请帮忙。非常感谢。

4

1 回答 1

0

如果您的代码在 java 安全管理器下运行,则每种类型的操作都需要具有显式权限。

当您为受信任的jar启用证书模式时,jar访问权限以混合模式通过JVM传递,但套接字访问仍然需要显式权限。

http://download.java.net/jdk8/docs/technotes/guides/security/permissions.html从安全管理员的角度列出了所有类型的权限及其风险。

连接主机的可能方式是:accept connect listen resolve

默认情况下,您已连接、接受、解析到主机 192.168.72.72。

于 2013-10-09T11:20:39.583 回答