Register /
Login
|
Desktop view
|
General Issues
»
Trusted-Library attribute in manifest file
Author:
adeteran, Visitor
03/07/2013 09:05:48
Hi,
We have been successfully using JCAPI in an applet, to sign files in user's local disk. Our applet has no GUI, so interaction with user is via JavaScript.
Since Java 6 update 19, if an application uses signed and unsigned code, signed jars that are allowed to be used from unsigned code, should have a Trusted-Library attribute set to true in their manifest. Else, the JVM will pop a warning that recommends the user to not execute the app.
Trusted library classes are loaded through a separate classloader. The rest of the app can "see" that trusted code, but trusted code cannot "see" code not marked as "trusted library".
http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html
Since Java 7 update 21/Java 6 update 45, if signed code is invoked from JavaScript, it is considered as mixed code. So our application is now considered mixed code.
If we add the Trusted-Library to our jars and sign them, there are no warnings, but as JCAPI is not a "trusted library", our code cannot "see" any of JCAPI classes (a ClassNotFoundException is thrown).
There is a workaround, but it involves messing with classloaders. It would be much more easy that JCAPI manifest includes Trusted-Library attribute set to true. I think it is coherent with JCAPI purpouse, and lot of users will benefit from it.
Do you have plans to include a Trusted-Library attribute in the manifest, in both 1.x and 2.x versions?
Thanks in advance.
Author:
tommy, Visitor
11/09/2013 20:54:36
Hi,
We've now released a new re-signed version of JCAPI whose manifest file contain the new Trusted-Library property.
For more information, please see our release post.
Regards,
Tommy
Register /
Login
|
Desktop view
|
