[SOLVED] JNLP - Can a signed jar download an unsigned jar and perform reflection on i

[fxRichard]

Basically what the title says, I have a rather complex product I have created and am moving the install application to run as a JNLP. I am encountering a few problems in the middle of the install application installing our product. The install app is a signed jar however it downloads multiple resources one of those being an unsigned jar file (main part of the application) and attempts to perform reflection to call some of the methods in it. I believe this is where it is failing but am not positive as I have more debugging to do. Is this allowed in JNLP as the program should NOT be running in the limited sandbox as it is signed etc.

[OrangeDog]

Try it and see. If the other jars come from the same server I guess it will work, but it might not.

[fxRichard]

Well, I tried signing the other jars as well, but still receiving an error when trying to run .invoke(null) on a Method object. The program runs fine as a standalone it's only when you run it via JNLP the problems arise. I test to verify the object is not null and that works, even a .getName() on the Method object works and returns the name but when trying to invoke it I get the following:

null <--(Exception.getMessage());

The Stack Trace...
sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
java.lang.reflect.Method.invoke(Unknown Source)
com.blackbox.install.DownloadThread.installConfig( DownloadThread.java:300)
com.blackbox.install.DownloadThread.downloadBlackB oxApp(DownloadThread.java:193)
com.blackbox.install.DownloadThread.run(DownloadTh read.java:71)
java.lang.Thread.run(Unknown Source)

[OrangeDog]

Is it a public method? Are you also downloading the native code for the method?

[fxRichard]

It is a public method, the jar file is downloaded by the calling jar file. It worked fine until I threw a JNLP interface to the jar file.

[OrangeDog]

What's the actual exception?

[fxRichard]

Well the message is just "null", the only info I have right now are the getMessage and stack trace I posted above. I will try to get more info on it either later tonight or first thing in the morning. I appreciate your help!

[OrangeDog]

If you just do e.printStackTrace() or don't catch the error it should tell you what it actually is.

[fxRichard]

Aha okay so it looks like a trusted JNLP will not allow you to read the sun cpu isalist property....

java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.blackbox.install.DownloadThread.installConfig( DownloadThread.java:302)
at com.blackbox.install.DownloadThread.downloadBlackB oxApp(DownloadThread.java:193)
at com.blackbox.install.DownloadThread.run(DownloadTh read.java:71)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission sun.cpu.isalist read)
at java.security.AccessControlContext.checkPermission (Unknown Source)
at java.security.AccessController.checkPermission(Unk nown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unkn own Source)
at java.lang.System.getProperty(Unknown Source)
at

[fxRichard]

Hmmm okay so another step forward....the method I cam calling via reflection is in another signed jar file that the JNLP jar file downloaded. However it looks like I am being denied permissions to read ANY properties via System.getProperty()... I did not realize JNLP would limit access to a signed app???? Any idea's...

[fxRichard]

Ok so here is the fix so if anyone runs into this in the future...

PROBLEM: JNLP signed jar file (trusted app) downloads another signed jar file (possible even unsigned is okay) and performs reflection via a CUSTOM classloader.

SOLUTION: You must extend SecureClassLoader or one of it's subclasses and override the getPermissions() method as follows:

Java Code:

import java.net.URLClassLoader;
import java.security.*;

public class JarLoader extends URLClassLoader
{
    ....other code here....

    protected PermissionCollection getPermissions(CodeSource codesource)
    {
    	PermissionCollection pcol = super.getPermissions(codesource);
    	pcol.add(new AllPermission());
    	return(pcol);
    }
}

Please note I am adding ALL PERMISSIONS in this example, you must determine what you need as adding all permissions may not be recommended etc.

This will fix any issues that may arise when using a custom classloader to load a jar file and/or perform reflection in JNLP.