在身份验证层后面读取清单签名的 webstart jar 时出现 NullPointerException
NullPointerException when reading manifest signed webstart jar behind authentication layer
我在 tomcat 网络服务器中有一个 java webstart 应用程序 运行ning。
JNLP 引用的单个 jar 已签名。
整个 Web 应用程序都位于基本身份验证层之后。
Web.xml 摘录:
<security-constraint>
<display-name> Client (SSL)</display-name>
<web-resource-collection>
<web-resource-name>Client (SSL)</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>clientuser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Client Webstart</realm-name>
</login-config>
当我 运行 JNLP 时,webstart 正确地要求我填写用户名和密码,但随后因以下空指针异常而崩溃:
java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.AppPolicy.addPermissions(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access0(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader.run(Unknown Source)
at java.net.URLClassLoader.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
在您的 JAR 清单中添加 "all permissions" 属性。有关详细信息,请参阅此 url http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
问题原来不是安全相关的,而是 web.xml 的另一部分,我之前没有 post:
<servlet>
<description>
The Client.
</description>
<display-name>Client</display-name>
<servlet-name>GenerateClientJNLPServlet</servlet-name>
<servlet-class>web.GenerateClientJNLPServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GenerateClientJNLPServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-role>
<role-name>clientuser</role-name>
</security-role>
....
servlet 的 URL 模式已设置为 *。这意味着当 JWS 进程转到特定位置下载 jar 时,它被重定向回 servlet,它在其响应中提供 error.html 页面而不是 jar。
我现在已将 servlet url 限制为:
<url-pattern>/LaunchClient/*</url-pattern>
而 jar 继续托管在 /releases/*
我在 tomcat 网络服务器中有一个 java webstart 应用程序 运行ning。
JNLP 引用的单个 jar 已签名。
整个 Web 应用程序都位于基本身份验证层之后。
Web.xml 摘录:
<security-constraint>
<display-name> Client (SSL)</display-name>
<web-resource-collection>
<web-resource-name>Client (SSL)</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>clientuser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Client Webstart</realm-name>
</login-config>
当我 运行 JNLP 时,webstart 正确地要求我填写用户名和密码,但随后因以下空指针异常而崩溃:
java.lang.NullPointerException
at com.sun.deploy.security.DeployManifestChecker.verify(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.AppPolicy.addPermissions(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access0(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader.run(Unknown Source)
at java.net.URLClassLoader.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
在您的 JAR 清单中添加 "all permissions" 属性。有关详细信息,请参阅此 url http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
问题原来不是安全相关的,而是 web.xml 的另一部分,我之前没有 post:
<servlet>
<description>
The Client.
</description>
<display-name>Client</display-name>
<servlet-name>GenerateClientJNLPServlet</servlet-name>
<servlet-class>web.GenerateClientJNLPServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GenerateClientJNLPServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-role>
<role-name>clientuser</role-name>
</security-role>
....
servlet 的 URL 模式已设置为 *。这意味着当 JWS 进程转到特定位置下载 jar 时,它被重定向回 servlet,它在其响应中提供 error.html 页面而不是 jar。
我现在已将 servlet url 限制为:
<url-pattern>/LaunchClient/*</url-pattern>
而 jar 继续托管在 /releases/*