1 Reply Latest reply: Sep 11, 2013 10:31 AM by Alan.M RSS

    7u40 or 7u21 mixed code  java.lang.ClassNotFoundException

    Alan.M


      I have a simple applet which shows a graph; this applet has two jar file, the main jar file is signed by a trusted CA and the other jar file is unsigned

      in the manifest for the signed jar file, I have added

      Trusted-Library value="true"

       

      Whe applet starts from the java console when it tries to invoke a create object on the class from the unsigned jar file, I get java.lang.ClassNotFoundException for the given class from the unsigned jar.

       

      I have tried this on  window 7 Chrome and Internet explorer based on variety of Java 7 release (40, 21 on internet explorer and release 6 on Chrome)

      It does not work.

       

      If I signed the second jar file, it works fine.

      Please notice, I do not want to bypass the check for mix code from java configuration.

       

      Any idea or hint will be highly apprecieated. 

        • 1. Re: 7u40 or 7u21 mixed code  java.lang.ClassNotFoundException
          Alan.M

          This is confirmed by the  post  https://forums.oracle.com/thread/2280127

          and it is confirmed by Oracle http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/mixed_code.html#trusted_library

          "Code in a jar file that is to be marked with the Trusted-Library manifest attribute may need to be modified slightly if it uses calls that are class loader dependent [...]
          Code in a Trusted-Library can look up the normal loader by invoking Thread.currentThread().getContextClassLoader().[...]
          Generally, care must be taken to ensure that the code in the trusted library is written in a careful and secure manner and is otherwise compatible with being loaded in a separate class loader instance from any remaining jars which are part of the application and are loaded by the normal loader."

           

          "Thread.currentThread().getContextClassLoader().[...]" 

          I just did a simple test to call a method from a trusted jar into sandbox jar, I used reflection to do that and it worked.

          It seems for every usage of any sandbox jar file classes in the trusted jar file, we have to use reflection ( load the class, invoke the required method ). Is this the way forward. Can somebody confirm this.

           

          private void useReflection()
             {
                try
                {

                     // using normal class loader
                   Class<?> clazz = Class.forName("com.abc.bla.bla.SandBox", true, Thread.currentThread().getContextClassLoader());
                   Constructor<?> constructor = clazz.getConstructor();
                   Object obj = constructor.newInstance(new Object[] {});

                   Method method = clazz.getMethod("sayHello", new Class[] {});
                   method.invoke(obj, new Object[] {});
                }
                catch (Exception ex)
                {
                   ex.printStackTrace();
                }

             }