Announcement Announcement Module
Collapse
No announcement yet.
Unsigned Java Web Start Spring Application? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unsigned Java Web Start Spring Application?

    I have a Spring application that I want to distribute via Java Web Start. The application will need to be unsigned and thus sandboxed by JWS. However, all attempts to do so don't work as Spring fails to resolve xsd schemalocations in a sandboxed environment.

    Here's a sample application that reproduces the problem:

    HelloWorldJws.java:
    Code:
    package org.foo;
    
    import org.springframework.context.ApplicationContext;
    import org.springframework.context.support.ClassPathXmlApplicationContext;
    
    public class HelloWorldJws {
        
        public static void main(String[] args) {
            new HelloWorldJws().doIt();
        }
    
        private void doIt() {
            System.out.println("HelloWorldJws!");
            
          ApplicationContext ctx = new ClassPathXmlApplicationContext("/applicationContext-http-schema.xml");
          // ApplicationContext ctx = new ClassPathXmlApplicationContext("/applicationContext-classpath-schema.xml");
    
          SimpleServiceBean serviceBean = ctx.getBean(SimpleServiceBean.class);
          System.out.println("ServiceBean: " + serviceBean.getStringProp());
          
          System.out.println("Exiting...");
        }
    }
    SimpleServiceBean.java
    Code:
    package org.foo;
    
    import org.springframework.stereotype.Service;
    
    @Service
    public class SimpleServiceBean {
    
        private String stringProp;
    
        public String getStringProp() {
            return stringProp;
        }
    
        public void setStringProp(String stringProp) {
            this.stringProp = stringProp;
        }
    }
    applicationContext-http-schema.xml:
    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:context="http://www.springframework.org/schema/context"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
      http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
      http://www.springframework.org/schema/tool http://www.springframework.org/schema/tool/spring-tool-3.1.xsd">
    
      <context:annotation-config />
      <context:component-scan base-package="org.foo" />
    </beans>
    hello.jnlp:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <jnlp spec="1.0+"
      href="hello.jnlp"
      version="1.5.0">
      <information>
        <title>Hello</title>
        <vendor>VENDOR</vendor>
        <homepage href="www.foo.org" />
        <offline-allowed>false</offline-allowed>
      </information>
      <update check="always" policy="always" />
      <application-desc
        name="Hello World Java Web Start"
        main-class="org.foo.HelloWorldJws">
      </application-desc>
      <security>
      <!-- 
        <all-permissions/>
      -->
      </security>
      <resources>
        <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se"/>
        <jar href="build/libs/HelloWorldJws-1.0.0.jar" download="eager" />
        <jar href="dist/slf4j-api-1.5.6.jar" download="eager" />
        <jar href="dist/slf4j-log4j12-1.5.6.jar" download="eager" />
        <jar href="dist/log4j-1.2.15.jar" download="eager" />
        <jar href="dist/spring-beans-3.1.2.RELEASE.jar" download="eager" />
        <jar href="dist/spring-asm-3.1.2.RELEASE.jar" download="eager" />
        <jar href="dist/spring-context-3.1.2.RELEASE.jar" download="eager" />
        <jar href="dist/spring-core-3.1.2.RELEASE.jar" download="eager" />
        <jar href="dist/spring-expression-3.1.2.RELEASE.jar" download="eager" />
        <jar href="dist/com.springsource.slf4j.org.apache.commons.logging-1.5.6.jar" download="eager" />
      </resources>"
    </jnlp>
    Output:
    I get the following Security Warning dialog box popup from JWS:
    Attachment

    The JWS Console shows:
    Code:
    security: JAVAWS AppPolicy Permission requested for: file:/D:/dev4/HelloWorldJws/dist/spring-asm-3.1.2.RELEASE.jar
    security: Add sandbox permissions
    network: Connecting http://www.springframework.org/schema/beans/spring-beans-3.1.xsd with proxy=HTTP @ localhost/127.0.0.1:8888
    network: Cache entry not found [url: http://www.springframework.org/crossdomain.xml, version: null]
    network: Connecting http://www.springframework.org/crossdomain.xml with proxy=HTTP @ localhost/127.0.0.1:8888
    network: Cache entry not found [url: http://www.springsource.org/crossdomain.xml, version: null]
    network: Connecting http://www.springsource.org/crossdomain.xml with proxy=HTTP @ localhost/127.0.0.1:8888
    network: Connecting http://www.springsource.org/crossdomain.xml with cookie "SESS3d5db4009c20f237ef34ad61b7610c98=mcpteb4sodh7cftidbstbjcpi1"
    Note, I don't get these errors if I sign the jars and specify <all-permissions/> in the jnlp.

    Moving on, I recall several posts that say you have to use classpath: xsd schemalocations. So I try:

    HelloWorldJws.java:
    Code:
    ...
          ApplicationContext ctx = new ClassPathXmlApplicationContext("/applicationContext-classpath-schema.xml");
    ...
    applicationContext-classpath-schema.xml
    Code:
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
      xmlns:context="http://www.springframework.org/schema/context"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans classpath:org/springframework/beans/factory/xml/spring-beans-3.1.xsd
      http://www.springframework.org/schema/context classpath:org/springframework/context/config/spring-context-3.1.xsd
      http://www.springframework.org/schema/tool classpath:org/springframework/beans/factory/xml/spring-tool-3.1.xsd">
    
      <context:annotation-config />
      <context:component-scan base-package="org.foo" />
    </beans>
    Which fails with:
    Attachment

    Again, if I sign the jars and specify <all-permissions/> in the jnlp, then it works and I see in fiddler that I don't have any network connections to www.springframework.org.

    Question:
    Is it possible to use Spring in an application and Java Web Start it in an untrusted environment?

    I seem to only get this problem when using annotation-based Spring (e.g., @Service, <context:annotation-config />, <context:component-scan base-package="org.foo" />), and not with traditional xml-bean-declaration Spring.

    It seems as though JWS is restricting the classpath from Spring.

    Thanks in advance!
    Tom
    Attached Files
Working...
X