tags:

views:

239

answers:

1
Q: 

How to Make JVM Ignore Jar Signatures

We have a vendor-provided Jar that contains a class we wish to extends and/or modify via AOP. The default Sun JVM security model does not allow code that is unsigned or signed by someone else to extend classes in a signed jar. We can easily remove the signatures from the jar file, but I would prefer to configure the JVM to ignore jar signing security measures. Can this be done? Note that we are in a very controlled environment, so we are relatively unconcerned with rogue code being inserted into vendor-supplied jars.

+2  A: 

I'm not sure if this will work in your case, but it might. Write your own Classloader, but not based on URLClassLoader, just extends Classloader and resolve you classes in your own way.

Load you classes with this classloader and apply your AOP magic, I might say it should work.

What I did was to implement a framework based on plugins and I didn't want to sign every piece of code(library/plugin), just the boot libraries(the one that loads the application). Of course, the code that you run in your classloader must be trustable since you bypass some of the default security constraints.

adrian.tarau  2009-06-05 16:38:08
A good idea that I hadn't considered. For us, the benefit of turning off security is political in nature -- if the jars have the same checksums as those provided by the vendor, then the excuse of "you changed something therefore it's your fault" can't be as easily given when a support issue arises. An alternate classloader might be equal fodder for an escape attempt.
ShabbyDoo  2009-06-05 17:13:33
Well, if you want to extend a class which was not designed to be extended you might run in some problems and they could reject you request for support :) but if you know what you're doing is just like like providing a different implementation of some private classes.
adrian.tarau  2009-06-05 17:27:25
"...not designed to be extended..." more like "private code which don't fit your needs".Anyway, the best approach will be to ask them to provide a clean way to provide your own implementation for a specific part(not sure what the library does, but usually it should be possible to have multiple implementation)
adrian.tarau  2009-06-05 17:30:15
I agree. Our stuff is borderline abandonware in some cases, so we're trying to make the best of a bad situation.
ShabbyDoo  2009-06-06 03:48:23

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java