Java 安全异常 BIRT 和 Apache POI Hack

Java Security Exception BIRT and Apache POI Hack

我要

java.lang.SecurityException: class "org.apache.poi.POIXMLDocument"'s signer information does not match signer information of other classes in the same package

在 BIRT 核心 jar 和 Apache POI jar 之间,as described by this BIRT bug report.

错误报告中指出,这可以通过升级 BIRT 来修复,但是当我这样做时,我 运行 变成了另一个只能通过降级来解决的 运行time 错误。因此,就目前而言,我在这里有点困难。 This comment 说我应该能够解压缩 apache poi jar,删除安全信息(BIRT 清单中有 none),然后重新压缩它,我应该可以开始了,但是当我删除安全信息 我使用 apache poi 的代码不再编译,就好像 poi 依赖项不再存在(是的,它在类路径上)。此外,我的 aspectj weaver 也抛出了一个异常。

这里是 META-INF/MANIFEST.MF:

之前(删节,片段)

Manifest-Version: 1.0
Bundle-ClassPath: .
Bundle-Vendor: Eclipse Orbit
Bundle-Name: Apache POI
Bundle-SymbolicName: org.apache.poi
Eclipse-SourceReferences: scm:cvs:pserver:dev.eclipse.org:/cvsroot/too
 ls:org.eclipse.orbit/org.apache.poi;tag=v201303080712
Export-Package: org.apache.poi,org.apache.poi.common.usermodel,org.apa
 che.poi.ddf,org.apache.poi.dev,org.apache.poi.hpsf,org.apache.poi.hps
 f.extractor,org.apache.poi.hpsf.wellknown,org.apache.poi.hssf,org.apa
 che.poi.hssf.dev,org.apache.poi.hssf.eventmodel,org.apache.poi.hssf.e
 ventusermodel,org.apache.poi.hssf.eventusermodel.dummyrecord,org.apac
 he.poi.hssf.extractor,org.apache.poi.hssf.model,org.apache.poi.hssf.r
 ecord,org.apache.poi.hssf.record.aggregates,org.apache.poi.hssf.recor
 d.cf,org.apache.poi.hssf.record.chart,org.apache.poi.hssf.record.comm
 on,org.apache.poi.hssf.record.cont,org.apache.poi.hssf.record.crypto,
 org.apache.poi.hssf.record.pivottable,org.apache.poi.hssf.usermodel,o
 rg.apache.poi.hssf.util,org.apache.poi.poifs.common,org.apache.poi.po
 ifs.crypt,org.apache.poi.poifs.dev,org.apache.poi.poifs.eventfilesyst
 em,org.apache.poi.poifs.filesystem,org.apache.poi.poifs.nio,org.apach
 e.poi.poifs.property,org.apache.poi.poifs.storage,org.apache.poi.ss,o
 rg.apache.poi.ss.extractor,org.apache.poi.ss.format,org.apache.poi.ss
 .formula,org.apache.poi.ss.formula.atp,org.apache.poi.ss.formula.cons
 tant,org.apache.poi.ss.formula.eval,org.apache.poi.ss.formula.eval.fo
 rked,org.apache.poi.ss.formula.function,org.apache.poi.ss.formula.fun
 ctions,org.apache.poi.ss.formula.ptg,org.apache.poi.ss.formula.udf,or
 g.apache.poi.ss.usermodel,org.apache.poi.ss.usermodel.charts,org.apac
 he.poi.ss.util,org.apache.poi.ss.util.cellwalk,org.apache.poi.util
Bundle-Version: 3.9.0.v201303080712
Bundle-ManifestVersion: 2

Name: org/apache/poi/ss/formula/functions/AggregateFunction.class
SHA1-Digest: 5RrBJbQIbv6B9uMzek3j1oKz6M8=

Name: org/apache/poi/ss/usermodel/charts/AxisCrosses.class
SHA1-Digest: ipQ9+pxjWLkgUu7+oqv0Yehyggw=

Name: org/apache/poi/hssf/usermodel/HSSFSheet.class
SHA1-Digest: ScBV1zHQgPkl9+/wIKAG4fJQXCo=

Name: org/apache/poi/hssf/record/HyperlinkRecord$GUID.class
SHA1-Digest: 3kpDbR6WINPRF24HCT7qOrhKnE4=

Name: org/apache/poi/poifs/storage/RawDataBlockList.class
SHA1-Digest: RHoYWrfErxUXOgVH4A9IDEXcx6c=

Name: META-INF/LICENSE
SHA1-Digest: skDsOhroUOXZROozPxPxBGVNGv4=

Name: org/apache/poi/ss/util/DateFormatConverter.class
SHA1-Digest: LKE6cGcKD20qFWR7++gAw1YMZ7s=

... a lot more of this SHA1-Digest stuff

之后(未删节,完整文件):

Manifest-Version: 1.0 
Bundle-ClassPath: .
Bundle-Vendor: Eclipse Orbit
Bundle-Name: Apache POI 
Bundle-SymbolicName: org.apache.poi
Eclipse-SourceReferences: scm:cvs:pserver:dev.eclipse.org:/cvsroot/too
 ls:org.eclipse.orbit/org.apache.poi;tag=v201303080712
Export-Package: org.apache.poi,org.apache.poi.common.usermodel,org.apa
 che.poi.ddf,org.apache.poi.dev,org.apache.poi.hpsf,org.apache.poi.hps
 f.extractor,org.apache.poi.hpsf.wellknown,org.apache.poi.hssf,org.apa
 che.poi.hssf.dev,org.apache.poi.hssf.eventmodel,org.apache.poi.hssf.e
 ventusermodel,org.apache.poi.hssf.eventusermodel.dummyrecord,org.apac
 he.poi.hssf.extractor,org.apache.poi.hssf.model,org.apache.poi.hssf.r
 ecord,org.apache.poi.hssf.record.aggregates,org.apache.poi.hssf.recor
 d.cf,org.apache.poi.hssf.record.chart,org.apache.poi.hssf.record.comm
 on,org.apache.poi.hssf.record.cont,org.apache.poi.hssf.record.crypto,
 org.apache.poi.hssf.record.pivottable,org.apache.poi.hssf.usermodel,o
 rg.apache.poi.hssf.util,org.apache.poi.poifs.common,org.apache.poi.po
 ifs.crypt,org.apache.poi.poifs.dev,org.apache.poi.poifs.eventfilesyst
 em,org.apache.poi.poifs.filesystem,org.apache.poi.poifs.nio,org.apach
 e.poi.poifs.property,org.apache.poi.poifs.storage,org.apache.poi.ss,o
 rg.apache.poi.ss.extractor,org.apache.poi.ss.format,org.apache.poi.ss
 .formula,org.apache.poi.ss.formula.atp,org.apache.poi.ss.formula.cons
 tant,org.apache.poi.ss.formula.eval,org.apache.poi.ss.formula.eval.fo
 rked,org.apache.poi.ss.formula.function,org.apache.poi.ss.formula.fun
 ctions,org.apache.poi.ss.formula.ptg,org.apache.poi.ss.formula.udf,or
 g.apache.poi.ss.usermodel,org.apache.poi.ss.usermodel.charts,org.apac
 he.poi.ss.util,org.apache.poi.ss.util.cellwalk,org.apache.poi.util
Bundle-Version: 3.9.0.v201303080712
Bundle-ManifestVersion: 2

如您所见,我删除了所有安全信息。我一路上做错了什么吗?这是我的问题的有效解决方案吗?

This Whosebug post helped me.

我必须删除 META-INF 中的一些文件,重新压缩文件夹并将其重命名为 jar 是不够的,我需要使用以下命令实际创建 jar:

jar cvf org.apache.poi_3.9.0.v201303080712.jar .

为了继续进行自动化操作,以下 ANT macrodef 应该完成这项工作:

<macrodef name="unsignjar">
    <attribute name="jarfile" 
        description="The jar file to unsign" />    
    <sequential>
        <!-- Editing the manifest file -->
        <copy toFile="@{jarFile}_MANIFEST.tmp">
            <resources>
                <zipentry zipfile="@{jarFile}" name="META-INF/MANIFEST.MF"/>
            </resources>
        </copy>
        <replaceregexp file="@{jarFile}_MANIFEST.tmp" match="\nName:(.+?)\nSH" replace="SH" flags="gis" byline="false"/>
        <replaceregexp file="@{jarFile}_MANIFEST.tmp" match="SHA(.*)" replace="" flags="gis" byline="false"/>
        <jar update="yes"
            jarfile="@{jarFile}.tmp"
            manifest="@{jarFile}_MANIFEST.tmp">
            <zipfileset src="@{jarFile}">
                <include name="**"/>
                <!-- Clearing the META-INF directory -->
                <exclude name="META-INF/*.SF"/>
                <exclude name="META-INF/*.DSA"/>
                <exclude name="META-INF/*.RSA"/>
            </zipfileset>
        </jar>
        <delete file="@{jarFile}_MANIFEST.tmp" />
        <move file="@{jarFile}.tmp"
              tofile="@{jarFile}"
              overwrite="true" />
    </sequential>
</macrodef>

对于位于 WEB-INF/lib 文件夹中的特定 Jar 文件(${webapp.libs} 键),它在 ANT 任务中按以下方式调用:

<target name="unsignJar">
    <unsignjar jarFile="${webapp.libs}/org.apache.poi_3.9.0.v201303080712.jar" />
</target>