问题
I have a serious problem with Java Web Start that I can't get my head around. The situation is the following: I have a JavaFX app, written Java8, that I want to deploy using Java WebStart. Until recently I used HTTP for communications with a server, and everthing worked fine. I could deploy the app using Web Start embedded in the browser or as a standalone app.
However I have now changed the communication to use WebSockets. For this I am currently using the tyrus implementation. And now comes the problem: Since I have added the tyrus lib, I always get an AccessControlException when tyrus tries to access a system property:
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "weblogic.websocket.client.max-aio-threads" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source) ~[na:1.8.0_25]
at java.security.AccessController.checkPermission(Unknown Source) ~[na:1.8.0_25]
at java.lang.SecurityManager.checkPermission(Unknown Source) ~[na:1.8.0_25]
at sun.plugin2.applet.FXAppletSecurityManager.checkPermission(Unknown Source) ~[na:na]
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source) ~[na:1.8.0_25]
at java.lang.System.getProperty(Unknown Source) ~[na:1.8.0_25]
at org.glassfish.tyrus.container.jdk.client.JdkClientContainer.openClientSocket(JdkClientContainer.java:106) ~[na:na]
However I can easily access exactly this property from any of my own classes, e.g. if I do this
logger.info(System.setProperty(ClientManager.WLS_MAX_THREADS, "1"));
logger.info(System.getProperty(ClientManager.WLS_MAX_THREADS));
I get the expected result with no security problems.
Of course I have made sure that all jars are fully signed, all jars have the Permissions: all-permissions flag in their Manifest.MF files, and the jnlp does have the required <security><all-permissions /></security> tag.
Apart from this I also tried using the jetty websocket implementation, however this gave me exactly the same problems.
So does anybody have an idea why the tyrus code is not able to access the same system property as the main code?
回答1:
Ok, thanks for the help, I finally found the answer. The hint by @Tom Hawtin gave me the right clue, I still need to wrap the call to webSocket.connectToClient() in AccessController.doPrivileged() to get full rights in the dependent code.
However I still don't fully understand why signed code with Permissions: all-permissions is not trusted, maybe I should read up on the WebStart security model.
Edit:
Ok, after playing around much more and finding more weird bugs I found the real problem: When I integrated the WebSockets into the application I made heavy use of the CompleableFuture.xxxAsync() methods. And by default those are running on the common ForkJoinPool, which in turn run on special threads (InnocuousForkJoinWorkerThread) if a security manager is present (as is obvious the case using jnpl). And those don't have any permissions whatsoever, which correctly triggered all those errors.
So the solution is to use a custom Executor for the xxxAsync(xxx, executor) calls.
来源:https://stackoverflow.com/questions/27231276/how-to-grant-dependent-lib-in-jnlp-file-all-permissions