Hi All.
I sign my own jars.
As part of the installation, the WebStart user is prompted to accept them just like in any other application.
However, it appears that this might create a runtime conflict when object serialization occurs.
A user-defined object (eg. an instance of com.mycompany.MyClass) created at the server and passed back to the JWS client yields the following error:
java.lang.SecurityException: class “MyClass”'s signer information does not match signer information of other classes in the same package
This makes sense if the class signer at the server is “Servoy”.
What’s the solution or workaround to this issue ?
cheers
Julian
Can it be that your class is serialized to the client? the instances from classes should be no problem…
Here’s my JWS stack trace:
java.lang.SecurityException: class “commycompany.MyClass”'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.defineClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.access$100(Unknown Source)
at com.sun.jnlp.JNLPClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.getDeclaredFields0(Native Method)
at java.lang.Class.privateGetDeclaredFields(Unknown Source)
at java.lang.Class.getDeclaredFields(Unknown Source)
at java.io.ObjectStreamClass.getDefaultSerialFields(Unknown Source)
at java.io.ObjectStreamClass.getSerialFields(Unknown Source)
at java.io.ObjectStreamClass.access$600(Unknown Source)
at java.io.ObjectStreamClass$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.io.ObjectStreamClass.(Unknown Source)
at java.io.ObjectStreamClass.lookup(Unknown Source)
at java.io.ObjectStreamClass.initNonProxy(Unknown Source)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at java.rmi.Naming.lookup(Unknown Source)
at com.servoy.j2db.plugins.ClientPluginAccessProvider.getServerService(Unknown Source)
at au.com.practica.servoy.plugin.data.client.ServoyDataStreamConduit.createRecordStreamedInputSource(ServoyDataStreamConduit.java:144)
at au.com.practica.data.conduit.AbstractDataStreamConduit$1.run(AbstractDataStreamConduit.java:153)
at java.lang.Thread.run(Unknown Source)
Is it needed to sign your code? We remove the webstart security manager anyway after we are approved by the enduser to have all normal application rights.
The servoy server admin defines what plugins/beans/laf are used, and are run on the client, so no unsecure code is excecuted.