We are having difficulty getting mixed code errors for Java webstart. So, we have our main JNLP file, we signed all our code, which it loads directly. We have added the all-permissions option to the main JNLP. The main class that it loads also comes from a signed can.
When the main class starts a little along the way, it runs some things that need to load some unsigned resources that are pulled from JNLP B. None of the JNLP B resources are signed and they don't need special permissions.
All the signed code was configured based on mixed Oracle documentation, and the jar files were installed with the manifest "Trusted-Library: true" before signing.
When unsigned code tries to load signed code, we get a class error not found like this:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Unknown Source)
at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
at com.sun.javaws.Launcher.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NoClassDefFoundError: org/some/external/package/that/is/not/signed
at org.our.signed.package.main(Main.java:87)
... 9 more
Caused by: java.lang.ClassNotFoundException: org.some.external.package.that.is.not.signed
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 10 more
Here is the script in JNLP:
JNLP A: (summarized)
<jnlp spec="1.5+" codebase="...." href="......">
<information>
...etc
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.6+" initial-heap-size="80m" max-heap-size="256m" href="http://java.sun.com/products/autodl/j2se"/>
<jar href="signedJar_1.jar" download="eager" main="true"/>
<jar href="signedJar_2.jar" download="eager" main="false"/>
<extension name="unsigned_ext" href="unsigned.jnlp"/>
</resources>
<application-desc main-class="(FROM SIGNED CLASS in signedJar_1.jar)"/>
</jnlp>
JNLP B (loader unsigned.jnlp)
<jnlp spec="1.5+" codebase="....." href="......">
<information>
...etc
</information>
<resources>
<jar href="unsigned.jar"/>
</resources>
<component-desc/>
</jnlp>
We noted that security exceptions work correctly, because if we move an unsigned jar to a JNLP that has all access rights and has signed banks, we get the expected security exceptions that Java will not allow us to mix the signed code with Trusted-Library: true and unsigned code without manifest attributes.
? , java ? - , , ? , , .