更新到7u45后,带有LWJGL的JavaApplet破裂

我们有一个Java Apllet,运行了几年以来没有出现问题.它使用LWJGL,所有jar均使用适当的证书签名(不能自签名).
在上次对u45的Java更新之后,小程序崩溃.

到目前为止,我们所做的是:

>新增权限:所有JAR清单的所有权限
>在所有JAR清单中添加了pplication-Library-Allowable-Codebase:*
>在所有JAR清单中添加了Caller-Allowable-Codebase:*
>添加代码库:*到所有JAR清单中
>上面的不同排列

我知道安全警告的配置方式已经发生了一些变化,但是(现在!)我们不在乎弹出窗口询问权限.首先,我们要使其运作,

这是在Java控制台中发生的所有示例.其余的输出似乎还可以:

java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.lwjgl.util.applet.AppletLoader$4.getPermissions(AppletLoader.java:1206)
    at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
    at java.security.SecureClassLoader.defineClass(Unknown Source)
    at java.net.URLClassLoader.defineClass(Unknown Source)
    at java.net.URLClassLoader.access$100(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at org.lwjgl.util.applet.AppletLoader.switchApplet(AppletLoader.java:1319)
    at org.lwjgl.util.applet.AppletLoader$2.run(AppletLoader.java:909)
    at java.awt.event.InvocationEvent.dispatch(Unknown Source)
    at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
    at java.awt.EventQueue.access$200(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.NullPointerException
    at sun.plugin2.applet.Plugin2ClassLoader.loadAllowedCodebases(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
    at sun.plugin2.applet.Applet2ClassLoader.getPermissions(Unknown Source)
    ... 31 more

和:

java.lang.reflect.InvocationTargetException
    at java.awt.EventQueue.invokeAndWait(Unknown Source)
    at java.awt.EventQueue.invokeAndWait(Unknown Source)
    at org.lwjgl.util.applet.AppletLoader.run(AppletLoader.java:906)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ExceptionInInitializerError
    at org.lwjgl.Sys.createImplementation(Sys.java:124)
    at org.lwjgl.Sys.<clinit>(Sys.java:111)
    at org.lwjgl.opengl.AWTGLCanvas.<clinit>(AWTGLCanvas.java:87)
    at j2cad.d.c.k(Unknown Source)
    at j2cad.applet.J2CadApplet.init(Unknown Source)
    at org.lwjgl.util.applet.AppletLoader.switchApplet(AppletLoader.java:1330)
    at org.lwjgl.util.applet.AppletLoader$2.run(AppletLoader.java:909)
    at java.awt.event.InvocationEvent.dispatch(Unknown Source)
    at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
    at java.awt.EventQueue.access$200(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.awt.EventQueue$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$1.doIntersectionPrivilege(Unknown Source)
    at java.awt.EventQueue.dispatchEvent(Unknown Source)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
    at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "org.lwjgl.util.Debug" "read")
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at sun.plugin2.applet.AWTAppletSecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
    at java.lang.System.getProperty(Unknown Source)
    at java.lang.Boolean.getBoolean(Unknown Source)
    at org.lwjgl.LWJGLUtil$4.run(LWJGLUtil.java:454)
    at org.lwjgl.LWJGLUtil$4.run(LWJGLUtil.java:452)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.lwjgl.LWJGLUtil.getPrivilegedBoolean(LWJGLUtil.java:452)
    at org.lwjgl.LWJGLUtil.<clinit>(LWJGLUtil.java:265)
    ... 21 more

第一个发生多次,第二个仅在日志末尾出现一次.

感谢所有建议,所有进行更新的人都可以访问该网站!

谢谢大家!

解决方法:

我发现了一个令人毛骨悚然的解决方法,可以避免此问题,因为lwjgl_util_applet.jar中的AppletLoader通过替换默认的classLoader覆盖了安全上下文.所以我们需要打补丁:

1-下载课程HERE

2-替换为:

classLoader = new URLClassLoader(urls) {

有了这个:

classLoader = new URLClassLoader(urls, Thread.currentThread().getContextClassLoader()) {

这个:

Thread.currentThread().setContextClassLoader(classLoader);
Class appletClass = classLoader.loadClass(getParameter("al_main"));

有了这个:

Class appletClass = Thread.currentThread().getContextClassLoader().loadClass(getParameter("al_main"));

和这个 :

urlconnection.setDefaultUseCaches(false);

有了这个 :

urlconnection.setDefaultUseCaches(true);

3-用新的编译并覆盖lwjgl_util_applet.jar的.class.

4-删除所有罐子的签名(如果存在),然后使用MANIFEST.MF中的所有属性重新签名.

Manifest-Version: 1.0
Trusted-Library: true
Application-Library-Allowable-Codebase: *
Trusted-Only: false
Application-Name: My app
Permissions: all-permissions
Created-By: 1.6.0_16 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Codebase: *

5-在applet标签中,放入:

<param name="permissions" value="all-permissions">
<param name="codebase_lookup" value="true">
<param name="classloader_cache" value="false">
<param name="al_version" value="0.1">"

6-(令人毛骨悚然的部分)将所有jar放在参数“ archive”的param“ al_jars”中(只需在al_jars中留一个空白),

7-清理您的缓存(Java和浏览器)并将Java缓存设置为活动状态(例如您的应用程序的未来用户),

8-运行小程序,并保持双手交叉.

上一篇:JAVA代码审计(1)


下一篇:如何将消息从Javascript发送到Java?