SecurityManager can trust a signed jar?

Similar Messages

• How can i add update signed jar file

  I am developing an applet which requires signing to run in a browser.
  I am developing supporting classes. But these class files have to be added
  to the jar. Isnt it??
  But to test the applet i need to load it in the browser each time i modify the class files. So the jar file need to be updated every time. But an
  IOError
  is being displayed when i try to update the signed jar file.
  How can i update signed jar file?? Or is there any othe way to test the signed applet during development??

  How can i update signed jar file?You can't, the signature is there to make sure the content of the jare hasn't been messed
  with.
  Either recreate the jar and re sign it or set up a policy during testing.

• JNLP: Signed jars but still not trusted

  I have an applet that has signed jars that were signed by the same key, the applet shows the correct warnings on startup and works fine (allows access to the local file system, etc), however there still exists the 'yellow triangle warning' on one of two popups frames that the applet produces (but not the other one).
  The applet does use native code (packaged in a signed jar and referenced in the JNLP). The jars are all signed by the same certificate from a CA. I originally didn't have the JNLP signed (by placing it in the main jar in JNLP-INF/APPLICATION.JNLP) but this didn't help. Also I didn't have the JNLP codebase set to a real URL (and really cant in production because its a solution we deploy to customers servers - its packaged software not hosted) but even after I tested with a codebase to a test server, it still didnt remove the famed yellow triangle. I have all-permissions set in the JNLP.
  So two related questions:
  1) Other than having not having signed jars (or not signed correctly), what other reasons cause the 'yellow triangle'?
  2) The warning only appears on one of the popup Frames. What could be the possible reasons for that? Are there some privileges that show the icon whether the applet is signed or not?
  Note: While changing the client policy setting (showWindowWithoutWarningBanner) works, this cant be a solution.
  From the Java Console:
  ...It goes through all the jars (I only included one for brevity - there are 23 of them). Note it says 'have 1 common certificates'.. which I think indicates everything is signed by the same cert.
  Is there any indication in the console logs I can use to determine why it is not trusted? It looks (to me) that everything is OK, until it says 'istrusted=false'.
  security: Validating cached jar url=http://10.192.252.26/QMDesktop/native.jar ffile=C:\Documents and Settings\bunkowm\Application Data\Sun\Java\Deployment\cache\6.0\34\1df0b62-2c3ce377 com.sun.deploy.cache.CachedJarFile@d964af
  cache: Reading Signers from 995 http://10.192.252.26/QMDesktop/native.jar | C:\Documents and Settings\bunkowm\Application Data\Sun\Java\Deployment\cache\6.0\34\1df0b62-2c3ce377.idx
  security: Have 1 common certificates after processing http://10.192.252.26/QMDesktop/native.jar
  security: Istrusted: null false
  security: Loading certificates from Deployment session certificate store
  security: Loaded certificates from Deployment session certificate store
  security: Validate the certificate chain using CertPath API
  security: Obtain certificate collection in Root CA certificate store
  security: Obtain certificate collection in Root CA certificate store
  security: Start to check whether root CA is replaced
  security: The root CA hasnt been replaced
  security: No timestamping info available
  security: Found jurisdiction list file
  security: No need to checking trusted extension for this certificate
  security: The CRL support is disabled
  security: The OCSP support is disabled
  security: This OCSP End Entity validation is disabled
  security: Checking if certificate is in Deployment denied certificate store
  security: Checking if certificate is in Deployment permanent certificate store
  security: Checking if certificate is in Deployment session certificate store
  security: Mark trusted: null

  Andrew - of course you were correct about the signed cert - I misspoke when the CA signed applet didn't show a warning. (You were also right that I must have checked 'always accept' the certificate on the server I had the CA signed cert on).
  I think you guys are on to something about the privileged actions. It would explain where one popup has the icon and the other doesn't. We have Javascript making calls into the applet and we do use JNI (although I don't think there are any calls back). We do wrap these calls in privileged actions but maybe we missed something. What I've seen before is a security exception is thrown if we don't wrap them - but maybe there are areas where we don't and it doesn't throw an exception or it does and we eat it somehow (and for whatever reason doesn't cause anything noticeable).
  Now that I know it could likely be the applet code and not necessarily a build issue with signing the jars, I have another place to look...
  I'll check it out and let you know what I find.

• Navigating between applets from the same signed jar (trusted CA) gives err

  See [http://www.chrisnewland.com/java-7-update-21-signedunsigned-error-switching-between-applets-in-the-same-signed-jar-trusted-ca-339] for my investigations so far.
  Clicking a link to navigate between applets contained in the same signed jar (signed by a trusted CA) pops up an error dialog complaining about a signed/unsigned code mix.
  Loading each applet in a fresh browser works fine.
  If you click from applet 1 to applet 2 via a non-applet page then both applets run without problem.
  [EDIT: This is behaviour is new to 7u21]
  Edited by: Chris Newland on Apr 17, 2013 3:19 AM

  I tried that (Adding Trusted-Library true) to the jars and even the 3rd party jars.  I still get the pop up and this error:
  Exception in thread "thread applet-com/travelers/prefillapplet/PrefillApp.class-1" java.lang.NoClassDefFoundError: org/apache/log4j/Logger
  Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger
  at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
  at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)

• Can I progamatically sign a jar file?  i.e. w/o jarsigner tool

  Hi,
  I am new to development and am using Ant to build my packages.
  I need to sign the jar files that I produce, and now the only way I know how is with jarsigner.
  I'd like to find a way to do the signing within Ant, but can't find one.
  Is that possible?
  George

  I'm having trouble with the opposite: I'm trying to verify a signed jar programmatically.
  I've already read this article, and thought that I could do similar things in order to verify.
  However, this code uses classes from sun.security.util, and I couldn't find any documentation of this package.
  Any suggestion will be greatly appreciated!

• Three questions about signed jar file and applet

  I use three signed jar file. Each of them signed by different certificate. First of JARs contain applet class. When I start applet from html page I see message “This applet was signed by…… but Java cannot verify it… Do you trust…?”. All times I press “Yes I trust” and after this questions applet stop to work end exit. If I use only one certificate for signing of three JARs then applet continue to work after question. 1) What should I do to fix this bug? 2) Is it any method to check from applet that user press Trust button? Is it any method to emulate work of SecurityManager to check that Certificate object is trusted (I want do call some method check(Certificate) and if certificate is not trusted I want to see message with question: “Do you want to trust this certificate” and so on)?

  Hello Jarman,
  1. If I have a signed jar file, then as long as the
  certificate is recognised as trusted that applet can
  run as a fully trusted application on the client
  machine. So I should not have to add lines such as
  permission java.lang.RuntimePermission
  "readFileDescriptor", "read" ;
  permission java.lang.RuntimePermission
  "writeFileDescriptor", "write" ;
  to my java.policy file. true/false ?true
  2. If I am running a signed jar file in the Java
  plugin then I do not need to have a verisign or thawte
  certificate (however to allow my certificate to be
  accepted I do have to import it into the cacerts file
  on the client machine). True/false?true
  3. Following on from question 2, if I want to be able
  to run an applet on a client machine, without messing
  around with ANY files on those machines, I need a
  verisign or thawte certificate. True/false?true
  4. (And finally) Apart from a security exception
  saying that I need to add one of the lines like those
  of question 1, is there any way I can get other debug
  information as to why the signed jar file is not being
  recognised as signed?No. This could be a problem of importing your certifcate into the wrong place.
  The information on the following link is a little bit dated but it helped me to successfully install a testcertificate and sign an applet with it.
  http://www.suitable.com/Doc_CodeSigning.shtml

• Add intermediate certificate to signed jar

  Is it possible to add an intermediate certificate to a signed jar file?
  The users of my applet are asked to trust the certificate showing the hint that the source is not trusted. The root certificate of my code signing certificate is included in the trusted sources.
  Thanks,
  Reinhard

  I have already a full trusted chain consisting of the root, an intermediate certificate and my code signing certificate. The root is included in Java�s trusted roots. But if I sign my jar with my code signing certificate, Java can not build the trust chain, as it does not have the intermediate certificate. If it would be possible to include the intermediate certificate certificate it would work, but appearantly this is not possible with jarsigner.

• Updating to signed JARs causes problems for older Java versions?

  Bear with me on this one -- not a Java developer, but an end user of Java products looking for a little clarification.
  We use a product which delivers a Java application via JAR file / web to end users (GlobalScape's EFT server).  With the recent release of Java 7 Update 51, users have been running into issues running these JAR files as they are not properly "signed".  We're working with the vendor to get updated signed JAR files in place, but they've warned us that these new JAR files will cause errors (or maybe not work at all) on folks who aren't running Java 7 Update 51.
  Trying to wrap my head around why that might be.  Best theory I can come up with from perusing threads here along with the Java team blogs is that the new security attributes used in the updated JAR files aren't "trusted" by older versions of Java (prior to Update 51?).
  We're pushing our vendor for clarification, but curious if someone here could help explain.
  Thanks!

  I suspect the problem with 'new JAR files will cause errors' is mainly because the vendor keeps enhancing their product, and may not any more support older JREs, or the new jars are no more compatible For example, we build our product on JDK 1.5 ... as some users out there must use that one because the 'newer and better' release does not work for them.
  But so far, we have not seen any problems running the 'JRE 7 Compliant' applications on older releases ... provided you can make your application run on latest JRE 7.
  In most cases, one can simply remove the previous signature, add (now required) attributes, and sign the same jar again.
  But I have yet to find a vendor that would simply add attributes to some older release and re-sign those. Perhaps they can't repeat the build / QA cycle, and would not 'trust' the re-signed jars.
  Our curse are signed Cryptographic Provider jars.
  Those must be signed by certificates rooted by Sun/Oracle, and adding attributes invalidates that signature - we can re-sign them, but then they won't work. In our case, we are stuck with 5+ year old Bouncy Castle jars, and it does not help us that their 'current' jars are signed with attributes - they are completely incompatible..
  IMHO, Oracle failed to think this all thru - or does not care.

• Need a signed JAR that lasts longer than a year

  We need to sign JARs but we can't use the standard Thawte or Verisign root CA. Both of them expire in a year. Since my company does not own the servers on which our application is installed, we can't revisit our customer's servers just because the signed JAR files have expired.
  When I look at the list of Root CAs that Web Start recognizes, I see some personal CAs and and server CAs.
  thawtepersonalfreemailca (Thawte Personal Freemail CA)
  thawtepersonalbasicca (Thawte Personal Basic)
  thawtepersonalpremiumca (Thawte Personal Premium CA)
  thawteserverca (Thawte Server CA)
  cybertrust (GTE CyberTrust Root)
  verisignserverca (Secure Server CA)
  thawtepremiumserverca (Thawte Premium Server CA)
  Has anyone had any success signing JAR files with these? I'm puzzled. I thought that a server certificate could only be used to run a secure (SSL) server. Can you sign JAR files with it?
  Likewise, can I use a 'personal' CA to sign a JAR? Are there any drawbacks in doing so?

  We need to sign JARs but we can't use the standard
  Thawte or Verisign root CA. Both of them expire in a
  year. Since my company does not own the servers on
  which our application is installed, we can't revisit
  our customer's servers just because the signed JAR
  files have expired.You have a misunderstanding here. The expiry date is related to the certificate only, not the jar file signed with it. I.e. you can only sign things with your certificate before the expiry date. After the expiry date, you will not be able to use that certificate anymore for signing. But everything you have signed, while the certificate was valid, will remain valid. Eventhough the certificate will expire, whatever is signed with it remains valid for eternity.
  When I look at the list of Root CAs that Web Start
  recognizes, I see some personal CAs and and server
  CAs.
  thawtepersonalfreemailca (Thawte Personal Freemail
  CA)
  thawtepersonalbasicca (Thawte Personal Basic)
  thawtepersonalpremiumca (Thawte Personal Premium CA)
  thawteserverca (Thawte Server CA)
  cybertrust (GTE CyberTrust Root)
  verisignserverca (Secure Server CA)
  thawtepremiumserverca (Thawte Premium Server CA)
  Has anyone had any success signing JAR files with
  these? I'm puzzled. I thought that a server
  certificate could only be used to run a secure (SSL)
  server. Can you sign JAR files with it?Yes, I have had success with the Thawte Personal Freemail Certificate. As the name suggests, it is free. What is not obvious from the name is that it can also be used to sign jar files. To obtain the certificate is free, however you will want to become a trusted member, which you can only become by being notarized. This will most likely cost you a bit (cost me ca. US$12). Then your certificate will be fully trusted. Here is a writeup on how to use your free Thawte certificate for jar signing: http://www.dallaway.com/acad/webstart/.
  Likewise, can I use a 'personal' CA to sign a JAR? Are
  there any drawbacks in doing so?See above.
  Good luck.
  - Daniel

• Error with Java WebStart Signed Jars on 1.6.0_19's new Mixed  Code

  All,
  First, we have a valid code signing certificate/keystore from Thawte that works for signing webstart jars as of update 18. For some reason, if you run our webstart application on update 19 JRE, the runtime believes that some of the jars are not signed and some are. Even though we create and sign the jars in the exact same way and after inspecting the jar the JRE believes are not signed they have the necessary signing entries/files in the manifest folder. Not sure why the signing process would work for some of our jars and not for others. There is nothing really all that different.
  So, because the JRE believes some of the jars are not signed the new security warning "...contains both signed and unsigned code." pops up ( [Error Description|http://java.com/en/download/help/error_mixedcode.xml] ). If I press yes, then I get the following exception.
  java.lang.SecurityException: trusted loader attempted to load sandboxed resource from https://path-to-our.jar
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at main.JwsMain.main(JwsMain.java:32)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)If I press "no" I get the following exception (I get this exception if I try to run our WebStart application with no signed jars as well, no warnings about missing certs, just straight to error)
  java.lang.NullPointerException
       at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
       at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
       at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler.assertTrust(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler.access$700(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at main.JwsMain.main(JwsMain.java:32)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)Does anyone know why this would be happening? It only occurs with the new update. We use the same keystore and process for signing all of our jars so it really doesn't make since why some of them work and some of them don't. Also, our JNLP is correct or it wouldn't work in update 18.
  Edit: We've tried it on Windows XP SP3 and compiled the code using update 18 and used jarsigner both from 18 and 19 with same results.
  Edited by: chenthor on Apr 1, 2010 8:44 AM
  Edited by: chenthor on Apr 1, 2010 8:51 AM

  Hi All,
  So we've been battling this bug for a year or so now, and I've come up with a solution to the webstart bugs
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6967414
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6805618
  (see the bugs for more details)
  From what we can tell the bug stems from the way that the jar signers information is "cached" by webstart.
  When a jar is loaded by webstart, it is represented by a CachedJarFile instance. When loading and using classes the signature for the jar is verified. The signers used is the one that is stored in the CachedJarFile instances. These "signers" are stored as SoftReferences. SoftReferences are like WeakReferences, except that they only become eligible for garbage collection when there is a small amount of available heaps space remaining and that the object is only softly reachable. (That's a pretty crude description, but it will do for now)
  So what we found was happening is that when the JVM reached a certain heap size threshold and needed to allocate more heap, that these soft references (and hence the signers information) werebeing garbage collected. if you attempt to load a class after this you get the security error.
  So I came up with a hack to work around this. At application startup, iterate through all of the CachedJarFile objects on the classpath and create a hard reference to each of the signers info by putting them in a static list somewhere. From our tests this seems to work. (though with the intermittent nature of the problem, it has been hard to prove conclusively, though we've had some success repro-ing the issue, by reducing the intial heap size and using VisualVM to watch for heap expansions and forcing gc's)
  Below is the code for the hack, to run it just call JarSignersHardLinker.go() and it will do some sanity checks (running on webstart on java 1.6 update 19 or higher) before spawning a new thread to create hard refs for all signers info for all jars on the classpath.
  import java.io.IOException;
  import java.lang.ref.SoftReference;
  import java.lang.reflect.Field;
  import java.lang.reflect.InvocationTargetException;
  import java.lang.reflect.Method;
  import java.net.JarURLConnection;
  import java.net.URL;
  import java.net.URLConnection;
  import java.util.ArrayList;
  import java.util.Enumeration;
  import java.util.LinkedHashSet;
  import java.util.List;
  import java.util.Set;
  import java.util.jar.JarFile;
  * A utility class for working around the java webstart jar signing/security bug
  * see http://bugs.sun.com/view_bug.do?bug_id=6967414 and http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6805618
  * @author Scott Chan
  public class JarSignersHardLinker {
      private static final String JRE_1_6_0 = "1.6.0_";
       * the 1.6.0 update where this problem first occurred
      private static final int PROBLEM_JRE_UPDATE = 19;
      public static final List sm_hardRefs = new ArrayList();
      protected static void makeHardSignersRef(JarFile jar) throws java.io.IOException {
          System.out.println("Making hard refs for: " + jar );
          if(jar != null && jar.getClass().getName().equals("com.sun.deploy.cache.CachedJarFile")) {
               //lets attempt to get at the each of the soft links.
               //first neet to call the relevant no-arg method to ensure that the soft ref is populated
               //then we access the private member, resolve the softlink and throw it in a static list.
              callNoArgMethod("getSigners", jar);
              makeHardLink("signersRef", jar);
              callNoArgMethod("getSignerMap", jar);
              makeHardLink("signerMapRef", jar);
  //            callNoArgMethod("getCodeSources", jar);
  //            makeHardLink("codeSourcesRef", jar);
              callNoArgMethod("getCodeSourceCache", jar);
              makeHardLink("codeSourceCacheRef", jar);
       * if the specified field for the given instance is a Softreference
       * That soft reference is resolved and the returned ref is stored in a static list,
       * making it a hard link that should never be garbage collected
       * @param fieldName
       * @param instance
      private static void makeHardLink(String fieldName, Object instance) {
          System.out.println("attempting hard ref to " + instance.getClass().getName() + "." + fieldName);
          try {
              Field signersRef = instance.getClass().getDeclaredField(fieldName);
              signersRef.setAccessible(true);
              Object o = signersRef.get(instance);
              if(o instanceof SoftReference) {
                  SoftReference r = (SoftReference) o;
                  Object o2 = r.get();
                  sm_hardRefs.add(o2);
              } else {
                  System.out.println("noooo!");
          } catch (NoSuchFieldException e) {
              e.printStackTrace();
              return;
          } catch (IllegalAccessException e) {
              e.printStackTrace();
       * Call the given no-arg method on the given instance
       * @param methodName
       * @param instance
      private static void callNoArgMethod(String methodName, Object instance) {
          System.out.println("calling noarg method hard ref to " + instance.getClass().getName() + "." + methodName + "()");
          try {
              Method m = instance.getClass().getDeclaredMethod(methodName);
              m.setAccessible(true);
              m.invoke(instance);
          } catch (SecurityException e1) {
              e1.printStackTrace();
          } catch (NoSuchMethodException e1) {
              e1.printStackTrace();
          } catch (IllegalArgumentException e) {
              e.printStackTrace();
          } catch (IllegalAccessException e) {
              e.printStackTrace();
          } catch (InvocationTargetException e) {
              e.printStackTrace();
       * is the preloader enabled. ie: will the preloader run in the current environment
       * @return
      public static boolean isHardLinkerEnabled() {
           boolean isHardLinkerDisabled = false;  //change this to use whatever mechanism you use to enable or disable the preloader
          return !isHardLinkerDisabled && isRunningOnJre1_6_0_19OrHigher() && isRunningOnWebstart();
       * is the application currently running on webstart
       * detect the presence of a JNLPclassloader
       * @return
      public static boolean isRunningOnWebstart() {
          ClassLoader cl = Thread.currentThread().getContextClassLoader();
          while(cl != null) {
              if(cl.getClass().getName().equals("com.sun.jnlp.JNLPClassLoader")) {
                  return true;
              cl = cl.getParent();
          return false;
       * Is the JRE 1.6.0_19 or higher?
       * @return
      public static boolean isRunningOnJre1_6_0_19OrHigher() {
          String javaVersion = System.getProperty("java.version");
          if(javaVersion.startsWith(JRE_1_6_0)) {
              //then lets figure out what update we are on
              String updateStr = javaVersion.substring(JRE_1_6_0.length());
              try {
                  return Integer.parseInt(updateStr) >= PROBLEM_JRE_UPDATE;
              } catch (NumberFormatException e) {
                  //then unable to determine updatedate level
                  return false;
          //all other cases
          return false;
        * get all the JarFile objects for all of the jars in the classpath
        * @return
       public static Set<JarFile> getAllJarsFilesInClassPath() {
            Set<JarFile> jars = new LinkedHashSet<JarFile> ();
           for (URL url : getAllJarUrls()) {
               try {
                   jars.add(getJarFile(url));
               } catch(IOException e) {
                    System.out.println("unable to retrieve jar at URL: " + url);
           return jars;
       * Returns set of URLS for the jars in the classpath.
       * URLS will have the protocol of jar eg: jar:http://HOST/PATH/JARNAME.jar!/META-INF/MANIFEST.MF
      static Set<URL> getAllJarUrls() {
          try {
              Set<URL> urls = new LinkedHashSet<URL>();
              Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
              while(mfUrls.hasMoreElements()) {
                  URL jarUrl = mfUrls.nextElement();
  //                System.out.println(jarUrl);
                  if(!jarUrl.getProtocol().equals("jar")) continue;
                  urls.add(jarUrl);
              return urls;
          } catch(IOException e) {
              throw new RuntimeException(e);
       * get the jarFile object for the given url
       * @param jarUrl
       * @return
       * @throws IOException
      public static JarFile getJarFile(URL jarUrl) throws IOException {
          URLConnection urlConnnection = jarUrl.openConnection();
          if(urlConnnection instanceof JarURLConnection) {
              // Using a JarURLConnection will load the JAR from the cache when using Webstart 1.6
              // In Webstart 1.5, the URL will point to the cached JAR on the local filesystem
              JarURLConnection jcon = (JarURLConnection) urlConnnection;
              return jcon.getJarFile();
          } else {
              throw new AssertionError("Expected JarURLConnection");
       * Spawn a new thread to run through each jar in the classpath and create a hardlink
       * to the jars softly referenced signers infomation.
      public static void go() {
          if(!isHardLinkerEnabled()) {
              return;
          System.out.println("Starting Resource Preloader Hardlinker");
          Thread t = new Thread(new Runnable() {
              public void run() {
                  try {
                      Set<JarFile> jars = getAllJarsFilesInClassPath();
                      for (JarFile jar : jars) {
                          makeHardSignersRef(jar);
                  } catch (Exception e) {
                      System.out.println("Problem preloading resources");
                      e.printStackTrace();
                  } catch (Error e) {
                       System.out.println("Error preloading resources");
                       e.printStackTrace();
          t.start();
  }

• Signed Jars

  I have a web based project that includes numerous iamges. As a result of the images I must sign the jar files. However, to date I have been unsuccessful. I have reviewed the threads and deployment information and would appreciate a straightforward way to accomplish this with Net Beans (the signing function there has not worked for me as well). I would appreciate any assistance.

  If you can place the images inside your jar file and load them from there or place them on a server that hosts crossdomain.xml (*exactly* this file http://static.flickr.com/crossdomain.xml) in the root directory of it's domain, then you do not need to sign your jar file. If you cannot do either of these things and the images must be hosted on a different server than the one hosting your jars, then read on.
  Do not try to use the javafxpackager command line tool to sign jars as that does not currently work => this issue can be tracked here: http://javafx-jira.kenai.com/browse/RT-18246
  Signing documentation is here =>
  http://docs.oracle.com/javafx/2.0/deployment/packaging.htm#BABJGFBH
  http://docs.oracle.com/javafx/2.0/deployment/javafx_ant_task_reference001.htm#CIAFJGAB
  But you have already read all that.
  Signing requires the following steps.
  1. Generate a Certificate Signing Request (CSR).
  2. Submit the CSR to a Certificate Authority (CA).
  3. The CA will generate a code signing certificate for you.
  4. Package your application as a bunch of jar files.
  5. Sign the jar files using your code signing certificate.
  If you are just using a self signed certificate and you are already using NetBeans, then NetBeans can do all of this for you.
  Here are the steps I used to sign a JavaFX project consisting of multiple Jar files using NetBeans nightly build 201112120600
  1. Right click Project and choose Properties.
  2. Project Properties | Libraries | Compile |Add Library... and add your dependent jars.
  3. Project Properties | Packaging
  Check Compress JAR File
  Check Build JAR after Compiling
  Check Copy Dependent Libraries
  Do not check Binary Encode JavaFX CSS Files as that might be buggy.
  4. Project Properties | Deployment
  Check Request unrestricted access
  Signing Certificate: Edit...
  a) choose Self-signed by a generated key OR
  b) use your own keystore if you have a certificate from a trusted public CA.
  Download Mode for Libraries: Use the mix of eager and lazy appropriate for your app. Signing wise, it doesn't matter as all of the jars need to be signed anyway.
  5. Project Properties | Run
  Configuration | New... | Configuration Name => enter browser
  Application Class | Browse... choose your Application's main class.
  Check Use Preloader if you have one (the preloader jar will be signed). If you are having difficulties with basic signing, get that to work first before enabling the Preloader.
  Select Run | in Browser
  Set a Width and Height for the page.
  Leave Web Page empty until you get an empty web page with your app in it to work.
  Choose the Web Browser you want to launch the app in.
  Press OK.
  6. Select the browser config from the drop down combo and hit the run arrow.
  Netbeans will compile your app, package it, generate a self signed certificate, sign all of your application's jars and launch the application in a browser.
  A trick to getting all of the above to work more than one time, is to make sure that you close the browser tab after you have finished testing and before you try to run again, otherwise NetBeans seems to fail with weird errors because the distribution files get locked by the app running inside the browser under Windows.
  If you are still stuck, you can try opening this JavaFX project which uses self-signed jars in NetBeans 7.1 RC2 or later => http://willow-browser.googlecode.com/files/willow-src-prerelease-0.1-netbeans-project.zip

• How to deploy signed jars/classes in Java Stored Procedure

  I am using java encryption API in my java application that I want to deploy as java stored procedure. The API is kept in the signed jar files.
  The Application is running in the MS-DOS environment but not in Oracle8i.
  It gives me following error.
  java.lang.ExceptionInInitializerError: java.lang.SecurityException: Cannot set
  up certs for trusted CAs
  at javax.crypto.b.<clinit>([DashoPro-V1.2-120198])
  at javax.crypto.KeyGenerator.getInstance([DashoPro-V1.2-120198])
  at DesKey.GenerateKey(DesKey.java:63)
  declare
  ERROR at line 1:
  ORA-29532: Java call terminated by uncaught Java exception:
  java.lang.ExceptionInInitializerError
  ORA-06512: at line 4
  (Note: I have enabled the java output in SQL Plus editor otherwise it will give only the second part of error that starts from ERROR at line 1:)
  please guide me how to solve this problem.
  Salman Hameed
  null

  Salman,
  If you do not get a reply on this forum, I recommend you post this question on the Oracle JVM discussion forum as well.
  In addition, I would recommend checking the documentation for Oracle8i. The Oracle8i Java Developer's Guide, the Java Stored Procedures Guide, and the JDBC Developer's guide may have some information on this topic. You can get to this doc from the OTN Documentation page. Click on Oracle8i, then General Documentation, Release 2 (8.1.6), then scroll down to see the link for the Oracle8i Java Developer's documetation. All of the books mentioned above are available from that link.

• Sign jar Issue

  HI,
  i am not able to avoid the applet warning message.Though we created the sign-jar.
  Regards
  Muthukumar

  i am not able to avoid the applet warning message.Though we created the sign-jar.
  Correct. One cannot and should no be able to turn off the applet warning message. Applets are applications running on your computer and could be malicious. Signing the jar does not guarantee they are not malicious since anyone can obtain a certificate signed by one of the major CAs. All a CA certifies is that the owner of the certificate is who they say they are and not that they are trustworthy. If he had been alive today, Al Capone could have obtained a legitimate signed certificate  under his own name but would you trust an application created by Al Capone?

• I can't not sign in in the messenger from my blackberry

  I can't not sign in in the windows  messenger from my blackberry and also from any blackberry. This message apears." Server encontered unrecoverable error. Please contact your system administrator." Also I sing in with other contact and got thru without problem. Can you help me please?

  there are no specific restrictions for windows ID's.. try to change your password & then try to login once again.. and by the way, what's the ID.. is the @live or @hotmail ??
  .RoCkInG dUdE.
  Trust Your Technolust | Do not PM for any support
  If a solution received, please hit on to show your support.

• Different signed jars need to be passed to the client.

  Hi,
  My requirement is that I have a list of my jar files that are signed by me and a set of another jar files that are not signed by me, but a third party. I require that these be signed by the third party only. I need to pass this files on to the client.
  I cannot put the jars with different signatures under the same jnlp.
  I am trying to embed one jnlp (the one that has third party signed jars) inside the main jnlp (the jnlp that will be called from my html). But I am not able to do so,
  Please provide any help. Also is there any other approach that can be used.
  Thaks in advance.

  tcstcs,
  One thing you could do is manually go in and delete the 3rd party's signature from the second JAR file, and re-sign that jar with your own signature. I'm not 100% sure this is what you should be doing, but you could give it a shot. Open up the 3rd party JAR in WinZip and delete the meta-inf path. This contains the signature. Now you can re-sign that jar with your own signature, and they will all match up so you can use them in the same JNLP file. Hope this helps,
  Mark