1 Reply Latest reply on Sep 11, 2013 3:31 PM by Alan.M

    7u40 or 7u21 mixed code  java.lang.ClassNotFoundException


      I have a simple applet which shows a graph; this applet has two jar file, the main jar file is signed by a trusted CA and the other jar file is unsigned

      in the manifest for the signed jar file, I have added

      Trusted-Library value="true"


      Whe applet starts from the java console when it tries to invoke a create object on the class from the unsigned jar file, I get java.lang.ClassNotFoundException for the given class from the unsigned jar.


      I have tried this on  window 7 Chrome and Internet explorer based on variety of Java 7 release (40, 21 on internet explorer and release 6 on Chrome)

      It does not work.


      If I signed the second jar file, it works fine.

      Please notice, I do not want to bypass the check for mix code from java configuration.


      Any idea or hint will be highly apprecieated. 

        • 1. Re: 7u40 or 7u21 mixed code  java.lang.ClassNotFoundException

          This is confirmed by the  post  https://forums.oracle.com/thread/2280127

          and it is confirmed by Oracle http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/mixed_code.html#trusted_library

          "Code in a jar file that is to be marked with the Trusted-Library manifest attribute may need to be modified slightly if it uses calls that are class loader dependent [...]
          Code in a Trusted-Library can look up the normal loader by invoking Thread.currentThread().getContextClassLoader().[...]
          Generally, care must be taken to ensure that the code in the trusted library is written in a careful and secure manner and is otherwise compatible with being loaded in a separate class loader instance from any remaining jars which are part of the application and are loaded by the normal loader."



          I just did a simple test to call a method from a trusted jar into sandbox jar, I used reflection to do that and it worked.

          It seems for every usage of any sandbox jar file classes in the trusted jar file, we have to use reflection ( load the class, invoke the required method ). Is this the way forward. Can somebody confirm this.


          private void useReflection()

                     // using normal class loader
                   Class<?> clazz = Class.forName("com.abc.bla.bla.SandBox", true, Thread.currentThread().getContextClassLoader());
                   Constructor<?> constructor = clazz.getConstructor();
                   Object obj = constructor.newInstance(new Object[] {});

                   Method method = clazz.getMethod("sayHello", new Class[] {});
                   method.invoke(obj, new Object[] {});
                catch (Exception ex)