Search   Recent Topics     Member Listing   Register /  Login 
Trusted-Library attribute in manifest file
Forum Index -> General Issues
Author Message
adeteran
Visitor

Joined: Nov 29, 2007
Messages: 4
Location: CORPME
Offline

Hi,

We have been successfully using JCAPI in an applet, to sign files in user's local disk. Our applet has no GUI, so interaction with user is via JavaScript.

Since Java 6 update 19, if an application uses signed and unsigned code, signed jars that are allowed to be used from unsigned code, should have a Trusted-Library attribute set to true in their manifest. Else, the JVM will pop a warning that recommends the user to not execute the app.

Trusted library classes are loaded through a separate classloader. The rest of the app can "see" that trusted code, but trusted code cannot "see" code not marked as "trusted library".

http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html

Since Java 7 update 21/Java 6 update 45, if signed code is invoked from JavaScript, it is considered as mixed code. So our application is now considered mixed code.

If we add the Trusted-Library to our jars and sign them, there are no warnings, but as JCAPI is not a "trusted library", our code cannot "see" any of JCAPI classes (a ClassNotFoundException is thrown).

There is a workaround, but it involves messing with classloaders. It would be much more easy that JCAPI manifest includes Trusted-Library attribute set to true. I think it is coherent with JCAPI purpouse, and lot of users will benefit from it.

Do you have plans to include a Trusted-Library attribute in the manifest, in both 1.x and 2.x versions?

Thanks in advance.
tommy
Pheox Support

Joined: May 30, 2005
Messages: 148
Offline

Hi,

We've now released a new re-signed version of JCAPI whose manifest file contain the new Trusted-Library property.

For more information, please see our release post.

Regards,
Tommy
 
  Forum Index -> General Issues
Go to: