Signing Applet with Maven jar plug-in and Bouncy Castle
I have a problem with a signed Java applet - specifically, why it is not signed using my certificate. I'm using Maven in Eclipse.
The applet (a) allows the user to choose a local file or directory, (b) encrypts the file(s), and (c) uploads the file(s) to the a PHP based web page. The applet is signed, presumably using m开发者_StackOverflowy certificate - i.e., through Maven code, using the maven-jar plug-in. For example:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<executions>
sign
/ /images/ src/main/resources/META-INF/MANIFEST.MF false [PATH_TO_MY_KEYSTORE] [MY ALIAS] [******] [******] [PATH_TO_SIGNED_JAR] true true(Obviously I've masked some of this because I work for paranoid gits!) Everything is packaged up nicely and the applet loads in the page; however, two things are troublesome: (1) when the applet loads, it identifies the Legion of Bouncy Castle as the certificate used to sign the applet and (2) while the applet, using a JFileChooser can access the file system, an "access denied" permission - to the file(s) - is thrown when trying to execute (c) above, sending the file to the web site. (I use Apache HTTP Components to do so.)
My applet is packaged separately from the dependent jars - including Bouncy Castle jars.
My question is: Why is BC the signer of my applet and not my own certificate, as identified above? Is this a Maven problem? In development, of course, everything works fine because Eclipse writes the policy file for the Applet Viewer.
Here is a snippet of the output in Eclipse - it looks like everything should be honky-dory:
[DEBUG] Configuring mojo 'org.apache.maven.plugins:maven-jar-plugin:2.2:sign' with basic configurator -->
[DEBUG] (s) alias = myalias
[DEBUG] (s) basedir = C:\..\target
[DEBUG] (f) finalName = app-0.0.1-SNAPSHOT
[DEBUG] (s) jarPath = C:\..\app-0.0.1-SNAPSHOT.jar
[DEBUG] (s) keypass = 1234
[DEBUG] (s) keystore = C:\..\my.keystore
[DEBUG] (s) project = MavenProject: App:app:0.0.1-SNAPSHOT @ C:\..\app\pom.xml
[DEBUG] (f) signedjar = C:\..\signed.jar
[DEBUG] (f) skip = false
[DEBUG] (s) storepass = 1234
[DEBUG] (s) verbose = true
[DEBUG] (s) verify = true
[DEBUG] (f) workingDirectory = C:\..\app
[DEBUG] -- end configuration --
[INFO] [jar:sign]
[DEBUG] Setting context classloader for plugin to: /plugins/org.apache.maven.plugins:maven-jar-plugin:2.2@48/thread:main (instance is: ClassRealm[/plugins/org.apache.maven.plugins:maven-jar-plugin:2.2@48/thread:main, parent: ClassRealm[plexus.core, parent: null]])
[DEBUG] jarsigner executable=[C:\Java\jdk1.6.0_16\jre\..\bin\jarsigner.exe]
[DEBUG] mdkirs: false C:\..\app
[DEBUG] Executing: cmd.exe /X /C '"C:\Java\jdk1.6.0_16\jre\..\bin\jarsigner.exe -verbose -keystore C:\...\my.keystore -storepass ****** -keypass ****** -signedjar C:\...\signed.jar C:\...\target\app-0.0.1-SNAPSHOT.jar myalias"'
[INFO] updating: META-INF/MANIFEST.MF
[INFO] adding: META-INF/APP.SF
[INFO] adding: META-INF/APP.RSA
[INFO] adding: com/
[INFO] adding: com/applet/
...
[INFO] adding: images/
[INFO] signing: com/applet/DemoApplet$1.class
[INFO] signing: log4j.xml
[INFO] signing: target.classes
[debug] jarsigner executable=[C:\Java\jdk1.6.0_16\jre\..\bin\jarsigner.exe]
[debug] Executing: cmd.exe /X /C '"C:\Java\jdk1.6.0_16\jre\..\bin\jarsigner.exe -verify -verbose C:\...\signed.jar"'
Any help would be greatly appreciated. Thanks. Incidentally, here is the stack trace:
General exception: access denied (java.io.FilePermission C:\Documents and Settings\Paul\My Documents\text.txt read)
java.security.AccessControlException: access denied (java.io.FilePermission C:\Documents and Settings\Paul\My Documents\text.txt read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkRead(Unknown Source)
at java.io.File.isFile(Unknown Source)
at sun.awt.shell.ShellFolder.isFile(Unknown Source)
at org.apache.commons.httpclient.methods.multipart.FilePartSource.<init>(FilePartSource.java:68)
at com.securustek.applet.DemoApplet.sendFiles(DemoApplet.java:1098)
at com.securustek.applet.DemoApplet.actionPerformed(DemoApplet.java:448)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
at java.awt.AWTEventMulticaster.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Thanks again.
I am not sure but it may be because of the certificate itself because the security access problem... I mean it may expire. Is it new created? But still there should be more details to analyze...
Have you checked the MANIFEST classes structure? Are they all signed?
加载中,请稍侯......
精彩评论