Results 1 to 11 of 11
  1. #1
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default [SOLVED] JNLP - Can a signed jar download an unsigned jar and perform reflection on i

    Basically what the title says, I have a rather complex product I have created and am moving the install application to run as a JNLP. I am encountering a few problems in the middle of the install application installing our product. The install app is a signed jar however it downloads multiple resources one of those being an unsigned jar file (main part of the application) and attempts to perform reflection to call some of the methods in it. I believe this is where it is failing but am not positive as I have more debugging to do. Is this allowed in JNLP as the program should NOT be running in the limited sandbox as it is signed etc.

  2. #2
    OrangeDog's Avatar
    OrangeDog is offline Senior Member
    Join Date
    Jan 2009
    Location
    Cambridge, UK
    Posts
    838
    Rep Power
    6

    Default

    Try it and see. If the other jars come from the same server I guess it will work, but it might not.
    Don't forget to mark threads as [SOLVED] and give reps to helpful posts.
    How To Ask Questions The Smart Way

  3. #3
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default

    Well, I tried signing the other jars as well, but still receiving an error when trying to run .invoke(null) on a Method object. The program runs fine as a standalone it's only when you run it via JNLP the problems arise. I test to verify the object is not null and that works, even a .getName() on the Method object works and returns the name but when trying to invoke it I get the following:

    null <--(Exception.getMessage());

    The Stack Trace...
    sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
    sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
    sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
    java.lang.reflect.Method.invoke(Unknown Source)
    com.blackbox.install.DownloadThread.installConfig( DownloadThread.java:300)
    com.blackbox.install.DownloadThread.downloadBlackB oxApp(DownloadThread.java:193)
    com.blackbox.install.DownloadThread.run(DownloadTh read.java:71)
    java.lang.Thread.run(Unknown Source)

  4. #4
    OrangeDog's Avatar
    OrangeDog is offline Senior Member
    Join Date
    Jan 2009
    Location
    Cambridge, UK
    Posts
    838
    Rep Power
    6

    Default

    Is it a public method? Are you also downloading the native code for the method?
    Don't forget to mark threads as [SOLVED] and give reps to helpful posts.
    How To Ask Questions The Smart Way

  5. #5
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default

    It is a public method, the jar file is downloaded by the calling jar file. It worked fine until I threw a JNLP interface to the jar file.

  6. #6
    OrangeDog's Avatar
    OrangeDog is offline Senior Member
    Join Date
    Jan 2009
    Location
    Cambridge, UK
    Posts
    838
    Rep Power
    6

    Default

    What's the actual exception?
    Don't forget to mark threads as [SOLVED] and give reps to helpful posts.
    How To Ask Questions The Smart Way

  7. #7
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default

    Well the message is just "null", the only info I have right now are the getMessage and stack trace I posted above. I will try to get more info on it either later tonight or first thing in the morning. I appreciate your help!

  8. #8
    OrangeDog's Avatar
    OrangeDog is offline Senior Member
    Join Date
    Jan 2009
    Location
    Cambridge, UK
    Posts
    838
    Rep Power
    6

    Default

    If you just do e.printStackTrace() or don't catch the error it should tell you what it actually is.
    Don't forget to mark threads as [SOLVED] and give reps to helpful posts.
    How To Ask Questions The Smart Way

  9. #9
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default

    Aha okay so it looks like a trusted JNLP will not allow you to read the sun cpu isalist property....

    java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknow n Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Un known Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.blackbox.install.DownloadThread.installConfig( DownloadThread.java:302)
    at com.blackbox.install.DownloadThread.downloadBlackB oxApp(DownloadThread.java:193)
    at com.blackbox.install.DownloadThread.run(DownloadTh read.java:71)
    at java.lang.Thread.run(Unknown Source)
    Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission sun.cpu.isalist read)
    at java.security.AccessControlContext.checkPermission (Unknown Source)
    at java.security.AccessController.checkPermission(Unk nown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPropertyAccess(Unkn own Source)
    at java.lang.System.getProperty(Unknown Source)
    at

  10. #10
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default

    Hmmm okay so another step forward....the method I cam calling via reflection is in another signed jar file that the JNLP jar file downloaded. However it looks like I am being denied permissions to read ANY properties via System.getProperty()... I did not realize JNLP would limit access to a signed app???? Any idea's...

  11. #11
    fxRichard is offline Member
    Join Date
    Dec 2008
    Posts
    64
    Rep Power
    0

    Default Solution

    Ok so here is the fix so if anyone runs into this in the future...

    PROBLEM: JNLP signed jar file (trusted app) downloads another signed jar file (possible even unsigned is okay) and performs reflection via a CUSTOM classloader.

    SOLUTION: You must extend SecureClassLoader or one of it's subclasses and override the getPermissions() method as follows:

    Java Code:
    import java.net.URLClassLoader;
    import java.security.*;
    
    public class JarLoader extends URLClassLoader
    {
        ....other code here....
    
        protected PermissionCollection getPermissions(CodeSource codesource)
        {
        	PermissionCollection pcol = super.getPermissions(codesource);
        	pcol.add(new AllPermission());
        	return(pcol);
        }
    }
    Please note I am adding ALL PERMISSIONS in this example, you must determine what you need as adding all permissions may not be recommended etc.

    This will fix any issues that may arise when using a custom classloader to load a jar file and/or perform reflection in JNLP.

Similar Threads

  1. Sending unsigned bytes using DatagramPacket
    By sranil in forum Networking
    Replies: 2
    Last Post: 04-28-2009, 02:52 AM
  2. reading in unsigned ints into a 2D array
    By newToIt in forum New To Java
    Replies: 9
    Last Post: 03-06-2009, 12:36 PM
  3. Perform one action at a time
    By Melki in forum AWT / Swing
    Replies: 6
    Last Post: 12-08-2008, 07:29 AM
  4. How to perform some event to button click
    By eva in forum AWT / Swing
    Replies: 2
    Last Post: 01-16-2008, 12:27 AM
  5. Replies: 0
    Last Post: 11-14-2007, 06:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •