tags:

views:

50

answers:

1
+2  Q: 

How to avoid Java security exception due to mixed code

Hi,

I have an applet which is present in a signed jar. This applet uses another 3rd party jar file which is unsigned. On launching the applet I get the Mixed code warning which I want to avoid.

To solve this issue, I added "Trusted-Library: true" to the unsigned jar which is being used by my applet.

But, it still throws SecurityException. I tried this with JRE update 20 as well but problem persists.

Can someone please help me with this? How to avoid getting the warning message when I have to use an unsigned jar.

Thanks!

+2  A: 

Use your tool chain to sign the 3rd party JAR with your key.

Aaron Digulla  2010-08-23 09:14:06
Can we sign a 3rd party jar with our signature? meaning, will that be legal?
raghvendra  2010-08-23 09:19:04
@raghvendra: check with your legal department for that. But from what I see, it is not an uncommon practice.
Joachim Sauer  2010-08-23 09:26:00
ok, Thanks a lot!
raghvendra  2010-08-23 09:27:41
You can sign it, but make the signature say that you're signing on behalf of third-party providers. Like that, it's *you* that is making the assertion that the code is OK, but you're not claiming ownership.
Donal Fellows  2010-08-23 09:41:25
@Donal You are also putting your name against the code being secure. Being secure is a different kettle of fish from not being malicious.
Tom Hawtin - tackline  2010-08-23 19:00:16
@Tom: Yes, but that's why you should only grant exactly what is needed for the code to do its job. Don't give access to the whole filesystem when only only a tiny bit will do; don't give the ability to open any socket when connecting to your server (with known IP address) is enough.
Donal Fellows  2010-08-23 20:00:44
@Donal Whilst that can be useful, it's very rare to be done in practice. It's difficult to work out what the exact permission should be (they'll be hidden in libraries) and it doesn't tend to achieve much.
Tom Hawtin - tackline  2010-08-23 21:05:02

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java