Servoy Forum

[cybersack]

Hi All.

I sign my own jars.
As part of the installation, the WebStart user is prompted to accept them just like in any other application.

However, it appears that this might create a runtime conflict when object serialization occurs.

A user-defined object (eg. an instance of com.mycompany.MyClass) created at the server and passed back to the JWS client yields the following error:

java.lang.SecurityException: class "MyClass"'s signer information does not match signer information of other classes in the same package

This makes sense if the class signer at the server is "Servoy".

What's the solution or workaround to this issue ?

cheers
Julian

[Jan Blok]

Can it be that your class is serialized to the client? the instances from classes should be no problem...

[cybersack]

Here's my JWS stack trace:

java.lang.SecurityException: class "commycompany.MyClass"'s signer information does not match signer information of other classes in the same package

at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.defineClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.access$100(Unknown Source)
at com.sun.jnlp.JNLPClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at java.lang.Class.getDeclaredFields0(Native Method)
at java.lang.Class.privateGetDeclaredFields(Unknown Source)
at java.lang.Class.getDeclaredFields(Unknown Source)
at java.io.ObjectStreamClass.getDefaultSerialFields(Unknown Source)
at java.io.ObjectStreamClass.getSerialFields(Unknown Source)
at java.io.ObjectStreamClass.access$600(Unknown Source)
at java.io.ObjectStreamClass$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.io.ObjectStreamClass.<init>(Unknown Source)
at java.io.ObjectStreamClass.lookup(Unknown Source)
at java.io.ObjectStreamClass.initNonProxy(Unknown Source)
at java.io.ObjectInputStream.readNonProxyDesc(Unknown Source)
at java.io.ObjectInputStream.readClassDesc(Unknown Source)
at java.io.ObjectInputStream.readOrdinaryObject(Unknown Source)
at java.io.ObjectInputStream.readObject0(Unknown Source)
at java.io.ObjectInputStream.readObject(Unknown Source)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at java.rmi.Naming.lookup(Unknown Source)
at com.servoy.j2db.plugins.ClientPluginAccessProvider.getServerService(Unknown Source)

at au.com.practica.servoy.plugin.data.client.ServoyDataStreamConduit.createRecordStreamedInputSource(ServoyDataStreamConduit.java:144)

at au.com.practica.data.conduit.AbstractDataStreamConduit$1.run(AbstractDataStreamConduit.java:153)

at java.lang.Thread.run(Unknown Source)

[Jan Blok]

Is it needed to sign your code? We remove the webstart security manager anyway after we are approved by the enduser to have all normal application rights.
The servoy server admin defines what plugins/beans/laf are used, and are run on the client, so no unsecure code is excecuted.