Protect a jar file
how to protect a jar file so that no one can de -jar the class files from it
please suggest..
thanks..
Or alternatively they don't know why, and are too afraid to ask. I think a lot of these people only ask questions on forums, not of their colleagues or managers. Also they may be afraid of finding out because it will mean a discussion with a colleague or superior that again they're too afraid to have. They'd rather keep their heads down and deliver the wrong answer as instructed. Easy to be 'brave' on a forum, hiding behind a pseudonym, and easy to come up with solutions that way that make you look better than you really are. Not so easy to act like a professional.
I'm reminded of a former colleague who used to go around announcing he'd just 'realized' something after he had had a secret discussion with me. Didn't get him very far when I wasn't around.
Cultural things at work here too I suspect. Aussies and Americans and British don't mind arguing all day & laughing about it afterwards over a beer. Others' mileage seems to vary ;-)
Similar Messages
-
Protecting your jar file from been extracted
Please i noticed that the java jar file of a software can easily be extracted to review the class files with winrar which allows just anyone to have access to your class file and decompile to get source codes, allowing pirating of the software. How can I lock the jar file to prevent extraction of my class files.
1. why are you mocking others instead of answering the question ? some one wants to protect his jar file. the solution is simple.
2. you can use google to search, here is result :
http://stackoverflow.com/questions/1280702/protecting-java-jar-files-for-distribution
http://stackoverflow.com/questions/9633455/how-to-protect-a-jar-file-from-being-decompiled
http://www.thegeekstuff.com/2008/06/protect-your-java-code-from-reverse-engineering/
http://answers.google.com/answers/threadview/id/431511.html
http://stackoverflow.com/questions/1879061/how-to-protect-java-codes-against-decompiler
http://viralpatel.net/blogs/2009/07/protect-java-code-decompilation-using-java-obfuscator.html
http://www.coderanch.com/t/430716/java/java/Protect-class-file-not-decompile
http://stackoverflow.com/questions/7324708/are-jar-file-insecure-what-can-done-apart-from-code-obfuscation
http://stackoverflow.com/questions/3647255/how-do-i-copy-protect-my-java-application
http://www.javaworld.com/javaworld/javatips/jw-javatip22.html
http://stackoverflow.com/questions/12088/do-you-obfuscate-your-commercial-java-code
3. it is true if you can use basic methods that EJP mentioned, there would be no need for obfuscators, nor native library use.
but there are many situations that you can't do any of those methods.
4. EJP claims that he probably is the one "who have had perhaps 40 times as long as you've had to think about it."
here is the problem that made me use both obfuscation and native library :
My company released a simple java library that scanned a document (directly from scanner or camera device).
the documents were exam papers.
Use some OCR techniques to convert image to text so some other application could calculate the score using it's api.
For marketing purposes, the company needed to publish a 7-day trial version of this library.
So, as you can see I'm eager to hear what you want to suggest. -
How to protect my jar file from being downloaded
How can i protect my jar file from being downloaded by users by accessing it through the web site.
Now everybody can just type the url www.mysite.com/applets/myApplet.jar
And download it to his computer.
I realize that anybody who really wants to download it he will get it anyway, but I want to make it harder.
thanks in advanceYour browser has to download the jar file if it's going to run the applet. That's applets work. The browser downloads the classes and then runs them locally.
I suppose if you wanted to make something to make it difficult for users to explicitly download the jar, you could set some kind of permission flag when the HTML is page is rendered, and then unset it some amount of time (10 seconds?) later, and then only let the user download the jar when the flag is set. But this would be fragile and irritating and unhelpful. It would probably break more than you'd like and not prevent download very much (it wouldn't take long to figure out what was happening), and besides nobody is ever going to try to steal your code. -
Protecting the jar files from being web access
I have a jnlp file which is put under tomcat webapps folder, say (\webapps\TEST\launch.jnlp), with the jar and lib files put in the subfolder (\webapps\TEST\folder1\*.jar AND \webapps\TEST\folder1\lib\*.jar).
My question is how can i prevent user from direct access to the jar files via typing http://www.someip.com/TEST/folder1/main.jar ? I tried the following methods but it seemed not working:
1. Change the folder permisson in \webapps\TEST\*.*, but when user type the above hyperlink they can still get the jar file
2. put the jar and related files under \WEB-INF\, but now this time running the launch.jnlp, it returns an error saying that it can't access/find the WEB-INF.
Is there any method? Or should I say, when you published jnlp to web, the related jar files are forced to be accessed by everyone.Sounds easy to me: encrypt your xml, then instead of just storing your key as plain bytes do some reversable operations on it (xor masks, reversions, whatever you like), just do them in many different points (and classes) of your code, have some parts done by methods that actually check application is running under JWS with proper codebase, scramble it all, and suddently the whole stealing operation won't be worth the effort. Obviously you should have many private (and package protected) methods, seal packages and so on. Maybe, somehow, you can even use reflection to identify calling classes (not sure, never looked for anything similar).
What else? write down some c++ code into your own dll/JNI library and make it do something too, so they'll even need to decompile the dll. If you know first execution is always online you can send another xor key and store it with persistence service or write it down to windows registry. You can keep making it harder as much as you like, even just with silly code like
Math.ceil((new GregorianCalendar.getField(Calendar.YEAR)%2000)/1000)*((int)('c'-'a'))just to retrieve the number 2. If you distribute such code through many lines and methods, once you scramble it, most people will give up.
Bye. -
Protecting Java jar files from decompiling.
Hello,
I need to distrubute ny Java application, I know there are tools to reengineer the java class file. How to Protect my class files from exploitation.
Any suggestions.
Thanks
Shreenivasa1. Write a no-decompile clause into the licence.
2. Make your product so expensive that no licensee will want anybody else to get one for nothing.
3. Make your product so inexpensive that it would be simpler to buy it than reverse-engineer it.
4. Bring out new versions of your product so rapidly or with such amazing new features in each release that the reverse-engineers can't keep up with you.
5. Make a proper evaluation of the forgone revenue against the cost of all this engineering, that doesn't assume you would have sold a copy to every potential pirate, or that you can actually deter every potential pirate.
In short it is a business problem. Not a technical problem. -
How to protect the class files inside jar file.
Hi Group,
pls help me.
my need is i created a executable jar file with certain classes.
and i'm supposed to send it to my client.
but if the client needs he can extract the class files from the jar and with the
help of some decompilers he can convert class file to .java source code and read the whole
stuff.
how can i protect my jar file from these.
is there any security mechanism for that
pls help me.
Regards,
Ranjith.MIn order to protect my jar file I tried the jar signer technology but it only protects the jar from modification so I need to know how to protect jar file from decoding of the contents inside.
-
Can anyone explain how they made this Jar file
Hi all,
I have searched the forum without luck. Lots of people asked questions about protecting their jar files but almost everyone said to either use exe file or use obfuscators.
But how can I make my jar so it is not possible to open it or when you try to open it you get nothing.
For eg. jar -tvf myjar.jar returns nothing and no error message.
I am also going to go one step ahead and give you an example of such a jar file you can download from the net to check it out yourself what I mean.
Go to the following site and download the exe file by clicking on the download cluster link
http://support.novell.com/servlet/filedownload/pub/drsapuserir1.exe
Open command prompt run the exe....accept the license and it should extract couple of files one of which is a jar file called sapusershim.jar
Try to open it with winrar, winzip or jar utility. You won't be able to. But I know for sure the jar is not corrupted because I use it in my application at work. This is not the only example of such jar file I have experienced.
So now we all know it's possible. But I would really like to know how.
Regards,
Hiten.By definition, if the jar utility program won't operate correctly on the jar, it is corrupted in some manner and no longer standard.
-
To what extend is it possible to get information about algorithms and data structures out of an jar-file, i.e. out of the *.class - files of an application?
Is there some method to protect a jar-file against this?To what extend is it possible to get information about
algorithms and data structures out of an jar-file,
i.e. out of the *.class - files of an application?You would be amazed how similar to the original source the decompiled class files are, download one and check it out! http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Translators/Decompilers_and_Disassemblers/?tc=1
Is there some method to protect a jar-file against
this?Yes! it is called obfuscation, there are some pretty good freeware ones out there: http://directory.google.com/Top/Computers/Programming/Languages/Java/Development_Tools/Obfuscators/?tc=1 -
Hi
I would like to know how to protect the jnlp and jar files against anyone who just types the URL in the browser Address bar.
Thanks
StevenHaven't tried, but if your jnlp app must check for updates on every startup and your files (both jnlp file and jars) are in a password protected folder (using digest or plain authentication over a SSL connection, for example) then you may be in trouble. Will JWS recognize this situation on an update check and prompt for login/password? (related to web server's folders).
Regards -
Protect jar file from unzip utility
Hi
I have an application in .jar file and I don't want that the client
can extract or unzip and see the contents of my .jar file.But still the .jar file
could run by mouse double click or java -jar command.
Anyone can give me an idea how to do it.
Thanks...If java can read it on your client's machine, the client can read it. There is no way to prevent this. Here's the general cycle:
int protectionMode = chooseProtectionMode();
boolean haveCustomers = true;
while (haveCustomers)
switch (protectionMode)
case OBFUSCATE:
//You can obfuscate your code to make it (marginally) harder to
//reverse-engineer. If your client is really interested in your
//code, this won't keep them from figuring out what it does.
break;
case ENCRYPT:
// You can encrypt most of your class files, and build a
// decrypting classloader, and build a framework that calls
// the decrypting classloader to get at the rest of the jar.
// Of course, your client can just arrange to call your
// classloader from their own, and write the (decrypted)
// classfiles to disk, and then reverse engineer them.
protectionMode = OBFUSCATE;
break;
case STATECHECK:
// You can put some kind of check in your decrypting classloader
// that calls System.exit() if it discovers it's being called in
// such an unfriendly way. Your client will take about 10 minutes
// to find and remove the check.
protectionMode = ENCRYPT;
break;
case REMOTE:
// You can keep your code on your server and let the client run
// something that talks to it. The client will complain
// vociferously, and refuse to use your app.
haveCustomers = false;
break;
default:
// You can decide to stop stressing over something you can't
// help, and write code that people will buy
}(Sorry - in an odd mood, seen this question or one like it too often recently, not enough sleep...) -
Problem deploying connector: META-INF/ejb-jar.xml not found in jar file
Has anyone seen this problem:
I built Sun's Blackbox implementation and packaged
it identical to the BlackBoxNoTx.rar included with
Weblogic's 'jconnector' sample (even using the same
ra.xml and weblogic-ra.xml). When I try to deploy
it, the server reports:
java.io.FileNotFoundException:
META-INF/ejb-jar.xml not found in jar file
I have no idea why the server thinks my connector
is an EJB. If I deploy the BlackBoxNoTx.rar included
with the sample, everything works without a hitch.
The only variable that I'm changing in my BlackBoxNoTx.rar
is that I build the Blackbox classes myself--otherwise,
the RAR packagings are identical. Any assistance is
greatly appreciated since I'm banging my head against
a wall...
Thanks,
-jason
I was finally able to resolve this one. On the odd chance that someone else encounters
the same problem, here's what went wrong:
My RAR file had two directories: 'META-INF' and 'meta-inf'. The first was created
by the jar tool and contained the manifest.mf file. The second I created manually
and it contained my ra.xml and weblogic-ra.xml. When I examined the RAR using
any tools or I extracted the contents, it looked like it only contained one directory:
META-INF (because NT is case-insensitive).
"Jason L" <[email protected]> wrote:
>
>Has anyone seen this problem:
>
>I built Sun's Blackbox implementation and packaged
>it identical to the BlackBoxNoTx.rar included with
>Weblogic's 'jconnector' sample (even using the same
>ra.xml and weblogic-ra.xml). When I try to deploy
>it, the server reports:
>
>java.io.FileNotFoundException:
>META-INF/ejb-jar.xml not found in jar file
>
>I have no idea why the server thinks my connector
>is an EJB. If I deploy the BlackBoxNoTx.rar included
>with the sample, everything works without a hitch.
>The only variable that I'm changing in my BlackBoxNoTx.rar
>is that I build the Blackbox classes myself--otherwise,
>the RAR packagings are identical. Any assistance is
>greatly appreciated since I'm banging my head against
>a wall...
>
>Thanks,
>
>-jason
-
Loading an image into an Applet from a JAR file
Hello everyone, hopefully a simple question for someone to help me with!
Im trying to load some images into an applet, currently it uses the JApplet.getImage(url) method just before registering with a media tracker, which works but for the sake of efficiency I would prefer the images all to be contained in the jar file as oppossed to being loaded individually from the server.
Say I have a class in a package eg, 'com.mydomain.myapplet.class.bin' and an images contained in the file structure 'com.mydomain.myapplet.images.img.gif' how do I load it (and waiting for it to be loaded before preceeding?
I've seen lots of info of the web for this but much of it is very old (pre 2000) and im sure things have changed a little since then.
Thanks for any help!I don't touch applets, so I can't help you there, but here's some Friday Fun: tracking image loading.
import java.awt.*;
import java.awt.image.*;
import java.beans.*;
import java.io.*;
import java.net.*;
import javax.imageio.*;
import javax.imageio.event.*;
import javax.imageio.stream.*;
import javax.swing.*;
public class ImageLoader extends SwingWorker<BufferedImage, Void> {
private URL url;
private JLabel target;
private IIOReadProgressAdapter listener = new IIOReadProgressAdapter() {
@Override public void imageProgress(ImageReader source, float percentageDone) {
setProgress((int)percentageDone);
@Override public void imageComplete(ImageReader source) {
setProgress(100);
public ImageLoader(URL url, JLabel target) {
this.url = url;
this.target = target;
@Override protected BufferedImage doInBackground() throws IOException {
ImageInputStream input = ImageIO.createImageInputStream(url.openStream());
try {
ImageReader reader = ImageIO.getImageReaders(input).next();
reader.addIIOReadProgressListener(listener);
reader.setInput(input);
return reader.read(0);
} finally {
input.close();
@Override protected void done() {
try {
target.setIcon(new ImageIcon(get()));
} catch(Exception e) {
JOptionPane.showMessageDialog(null, e, "Error", JOptionPane.ERROR_MESSAGE);
//demo
public static void main(String[] args) throws IOException {
final URL url = new URL("http://blogs.sun.com/jag/resource/JagHeadshot.jpg");
EventQueue.invokeLater(new Runnable(){
public void run() {
launch(url);
static void launch(URL url) {
JLabel imageLabel = new JLabel();
final JProgressBar progress = new JProgressBar();
progress.setBorderPainted(true);
progress.setStringPainted(true);
JScrollPane scroller = new JScrollPane(imageLabel);
scroller.setPreferredSize(new Dimension(800,600));
JPanel content = new JPanel(new BorderLayout());
content.add(scroller, BorderLayout.CENTER);
content.add(progress, BorderLayout.SOUTH);
JFrame f = new JFrame("ImageLoader");
f.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
f.setContentPane(content);
f.pack();
f.setLocationRelativeTo(null);
f.setVisible(true);
ImageLoader loader = new ImageLoader(url, imageLabel);
loader.addPropertyChangeListener( new PropertyChangeListener() {
public void propertyChange(PropertyChangeEvent evt) {
if ("progress".equals(evt.getPropertyName())) {
progress.setValue((Integer)evt.getNewValue());
System.out.println(evt.getNewValue());
} else if ("state".equals(evt.getPropertyName())) {
if (SwingWorker.StateValue.DONE == evt.getNewValue()) {
progress.setIndeterminate(true);
loader.execute();
abstract class IIOReadProgressAdapter implements IIOReadProgressListener {
@Override public void imageComplete(ImageReader source) {}
@Override public void imageProgress(ImageReader source, float percentageDone) {}
@Override public void imageStarted(ImageReader source, int imageIndex) {}
@Override public void readAborted(ImageReader source) {}
@Override public void sequenceComplete(ImageReader source) {}
@Override public void sequenceStarted(ImageReader source, int minIndex) {}
@Override public void thumbnailComplete(ImageReader source) {}
@Override public void thumbnailProgress(ImageReader source, float percentageDone) {}
@Override public void thumbnailStarted(ImageReader source, int imageIndex, int thumbnailIndex) {}
} -
How to access additional supporting jar files from EJB JAR?
Hi,
How can we access additional supporting jar files as part of my EJB JAR .
I don't want to keep them in the top level because other EJB JAR files also has
the same jar files(code in the classes in the jar is slightly different)
can I keep the additional jar files in my EJB JAR?
Thanks
NLBInclude the supporting jar files in the Ejb jar file.
Specifiy the jar files in the Ejb jar manifest file.
Manifest-Version: 1.0 [CRLF]
Class-Path: utility.jar [CRLF]
thanks,
Deepak
"NLB" <[email protected]> wrote:
>
Hi,
How can we access additional supporting jar files as part of my EJB JAR
I don't want to keep them in the top level because other EJB JAR files
also has
the same jar files(code in the classes in the jar is slightly different)
can I keep the additional jar files in my EJB JAR?
Thanks
NLB -
Problems with signed JAR files in JWS/JRE6 environment.
Hello All,
I'm encountering a problem running our desktop application as a Java Web Start deployment in a JRE 6 environment. There were never any problems when running the same application as a JWS deployment in JRE 1.4, or 5, environments. There are also currently no problems in a JRE 6 environment when running the application as a standard desktop application.
The problem which I am having has nothing to do with launching the application. But for good measure, I verified the JNLP file with JaNeLA. A couple things we out of order, which I addressed to make JaNeLA happy, but my problem still persists. Here is my JNLP file (anonymized to protect the innocent):
TS: 2010-10-18 17:04:46
<?xml version="1.0" encoding="UTF-8"?>
<jnlp codebase="$$codebase" href="$$name">
<information>
<title>Acme Desktop</title>
<vendor>Acme Corporation</vendor>
<homepage href="http://www.acme.com/"/>
<description>Acme Client for Acme Server</description>
<description kind="tooltip">Acme Client for Acme Server</description>
<icon href="desktop.gif"/>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.5+"/>
<jar href="acmedesktop.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/antlr-2.7.2.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/backport-util-concurrent.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/commons-codec-1.3.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/commons-httpclient.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/commons-logging.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/acmeapi.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/HelpJavaDT.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/HelpJavaDT_es.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/jacorb.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/Multivalent.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/slf4j-api-1.5.6.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/slf4j-jdk14-1.5.6.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/snow.jar" download="lazy" version="8.00.01.00+"/>
<jar href="lib/AcmeTMClient.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/xercesImpl.jar" download="eager" version="8.00.01.00+"/>
<jar href="lib/xml-apis.jar" download="eager" version="8.00.01.00+"/>
<extension name="installer" href="desktopInstaller.jnlp" />
<extension name="Java Help" href="help.jnlp"/>
<property name="java.library.path" value="./lib"/>
<property name="admin" value="false"/>
<property name="webstart" value="true"/>
<!-- The following two lines are for SSO implementation only
<property name="urladdress" value="http://localhost:8080/AcmeDesktop/servlet/AcmeServlet"/>
<property name="cookiespec" value="RFC2109"/>
-->
</resources>
<resources os="Windows">
<nativelib href="lib/jniWin32.jar" version="8.00.01.00+"/>
</resources>
<application-desc main-class="desktop"/>
</jnlp>-----
When running as a JWS deployment, on JRE 6, the application will be functioning normally for a little while, and then suddenly the following exception is thrown, and the current operation fails because the class in question cannot be accessed:
java.lang.SecurityException: class "acmeapi.communication.CDocImpl"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:807)
at java.lang.ClassLoader.preDefineClass(ClassLoader.java:488)
at java.lang.ClassLoader.defineClassCond(ClassLoader.java:626)
at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
at com.sun.jnlp.JNLPClassLoader.findClass(JNLPClassLoader.java:288)
at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
at acmeapi.common.CDoc.getAnnotationsInfo(CDoc.java:493)
at acmedesktop.communication.CCommunicationManager.privateGetAnnotations(CCommunicationManager.java:1976)
at acmedesktop.communication.CCommunicationManager.getAnnotations(CCommunicationManager.java:1828)
at acmedesktop.annotations.CViewAnnotations.getAnnotations(CViewAnnotations.java:826)
at acmedesktop.annotations.CViewAnnotations.createView(CViewAnnotations.java:583)
at acmedesktop.annotations.CViewAnnotations.setData(CViewAnnotations.java:736)
at acmedesktop.annotations.CViewAnnotations.init(CViewAnnotations.java:205)
at acmedesktop.hitspanel.CHitsPanel.viewAnnotations(CHitsPanel.java:281)
at acmedesktop.hitspanel.CHitsTab$3.mousePressed(CHitsTab.java:316)
at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:263)
at java.awt.Component.processMouseEvent(Component.java:6260)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
at java.awt.Component.processEvent(Component.java:6028)
at java.awt.Container.processEvent(Container.java:2041)
at java.awt.Component.dispatchEventImpl(Component.java:4630)
at java.awt.Container.dispatchEventImpl(Container.java:2099)
at java.awt.Component.dispatchEvent(Component.java:4460)
at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4574)
at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4235)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
at java.awt.Container.dispatchEventImpl(Container.java:2085)
at java.awt.Window.dispatchEventImpl(Window.java:2478)
at java.awt.Component.dispatchEvent(Component.java:4460)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:599)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)-----
The classes of our desktop product are contained within the 'acmedesktop' and 'acmeapi' packages. It requires access to the hard drive of the workstation, and therefore, all jar files included with the application are signed using the following ANT task when compiled:
<signjar keystore="resources/codesigning/keystore.pfx" storetype="pkcs12" storepass="myPassword" alias="myAlias">
<fileset dir="${jws_dist}/app" includes="*.jar"/>
<fileset dir="${jws_dist}/app/lib" includes="*.jar" excludes="jhall__V${dt_version}.jar"/>
</signjar>-----
Therefore, all classes, within all jar files, are signed with the same certificate (with the exception of the JavaHelp libraries, which are already signed by Sun - but the class in question attempting to be loaded here is not contained within the JavaHelp jar file anyway). So, the point being, that the exception message stating that the "signer information of the acmeapi.communication.CDocImpl class doesn't match the signer information of other classes in the same package", is simply not correct. All classes within that jar file were signed using the same certificate.
I downloaded the JRE 6 source from dev.java.net and picked through this issue with a debugger. The ClassLoader.checkCerts() method compares the certificate used to sign the current class which is attempting to be loaded, with the certificates which signed all other previously loaded classes within the same package. If they don't match, the exception above is thrown. What is causing the issue is when the checkCerts() method attempts to get the certificates which signed the currently loading class, null is returned. And obviously, comparing null, with an array of the certificates which signed the previously loaded classes, isn't going to match; therefore this exception is thrown.
The checkCerts() method gets the certificates of the currently loading class by calling the java.security.CodeSource.getCertificates() method. Tracing deeper in the debugger, the CodeSource object ultimately gets the certificates from the 'signersRef' member variable of the com.sun.deploy.cache.CachedJarFile class. signerRef is a SoftReference object and can therefore be garbage collected at some point. If it has already been garbage collected, the CachedJarFile class will attempt to retrieve it again from the loaded cache entry by calling com.sun.deploy.cache.MemoryCache.getLoadedResource().
The MemoryCache class maintains the cache entries to the jar files as MemoryCache.CachedResourceReference objects, which subclass WeakReference, and therefore these objects can be garbage collected as well. If the cache entries have also been garbage collected, this leaves the CachedJarFile class with no ability to repopulate the CachedJarFile.signerRef object. Therefore it is completely out of luck getting the certificates which signed the currently loading class, which ultimately causes the above exception.
When the com.sun.deploy.cache.Cache class attempts to retrieve a cache entry using its getCacheEntry() method, it will attempt to get the entry from the MemoryCache class, if null is returned, it will recreate the cache entry and add it back to the MemoryCache. In contrast, when the CachedJarFile class attempts to get a cache entry from the MemoryCache class, if null is returned, it just gives up.
(from com.sun.deploy.cache.CachedJarFile:244)
private CacheEntry getCacheEntry() {
/* if it was not created by Cache do not search for entry */
if (resourceURL == null)
return null;
CacheEntry ce = (CacheEntry) MemoryCache.getLoadedResource(resourceURL);
if (ce == null) {
//This should not happen because CacheEntry should not get collected
// before CachedJarFile is collected.
Trace.println("Missing CacheEntry for " + resourceURL + "\n" + ce,
TraceLevel.CACHE);
return ce;
When debugging, code execution falls within the code block with the comment stating "This should not happen...", but it is happening in my case.
On an interesting side note, using the jvisualvm.exe tool included with JDK 6, I was able to tell that it seems as though these objects are collected the first time that the JVM allocates more heap space, and then the issue will occur. If I set the initial heap size very large (using -Xms) this issue won't occur at all. But that is kind of a bad solution which I would rather not do, but it is interesting to note for the sake of troubleshooting this issue. The max heap size (-Xmx) is plenty big enough, so the issue is not that we are running out of memory here.
Does anyone have any insight as to what could be causing this? I've searched, and found a couple threads with similar problems but with no clear solutions. It is not just one workstation either, it happens everywhere I deploy the app as a Java Web Start application in a JRE 6 environment. I have been using version 1.6.0_18 on XP, but it seems to happen on any update version of 1.6. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?
Thank you
Jake
Edited by: jkc532 on Nov 12, 2010 10:35 AMjkc532 wrote:
.. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? From your comprehensive investigation and report, it seems so to me.
..I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?Just after read the summary I was tired, so I have some understanding of the effort you have already invested in this (the 'wits' you have already spent). I think you should raise a bug report and seek Oracle's response. -
URLClassLoader + dynamically loading signed jar files
I have an applet that does not know all of the jar files it will need to load at startup.
I would like to dynamically load these signed jar files using the URLClassLoader, however it does not recognize these jar files as being signed and I get java.security.AccessControlException: access denied errors.
Any suggestions?
Thanks!Try this classloader for loading the jars, it should to the trick:
import java.net.URL;
import java.net.URLClassLoader;
import java.net.URLStreamHandlerFactory;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.PermissionCollection;
import java.security.Permissions;
public class AllPermissionsClassLoader extends URLClassLoader {
public AllPermissionsClassLoader (URL[] urls) {
super(urls);
public AllPermissionsClassLoader (URL[] urls, ClassLoader parent) {
super(urls, parent);
System.out.println(parent);
public AllPermissionsClassLoader (URL[] urls, ClassLoader parent, URLStreamHandlerFactory factory) {
super(urls, parent, factory);
protected PermissionCollection getPermissions (CodeSource codesource) {
Permissions permissions = new Permissions();
permissions.add(new AllPermission());
return permissions;
}
Maybe you are looking for
-
I dropped my iPhone 4S in my friends pool. It was fully submerged for about 30 seconds. We took it out, dried it and put it in rice. After 24 hours I checked the phone. It turns on and runs smoothly. It connects to the computer and syncs perfectly. B
-
EPM installation - hundreds of connections to ORACLE product schemas
We installed EPM 11.1.1.1 in a 3 machines configuration (1 main ESSBASE and FOUNDATION, 1 for Reporting -FINANCIAL + INTERACTIVE,1 for Web - Workspace and WEB ANALYSIS) Each EPM product has its own schema on a 9.2.0.8 database, which is a production
-
Is duplicate from active database supported in Standard Edition?
Hi, I'm trying to clone a database whithout a staging area. After having the clone instance and the sql*net configuration set up, I'm running this command in the rman-commandline: Recovery Manager: Release 11.1.0.7.0 - Production on Tue Nov 2 15:52:3
-
Problems printing photographs via Aperture, using Canon MP640
When printing photographs via Aperture, using my CanonMP640, I am instructed to turn off my color management, but I don't know how to do this & Canon can't help me. The color quality is very poor (whites have a blue tinge and reds come out orange) Ca
-
I have just got my mac and Love it !!! I would like to go Digital as far as paperwork is concerned, I have Client Information sheets of clients I see all day, and the paperwork keeps piling up.... here is the layout i need: http://public.me.com/delul