2 Replies Latest reply on Sep 5, 2011 9:18 AM by walter_luetgenau

    Trusted-Library: true not working

      I don't get the Trusted-Library: true manifest working.

      To simplify things, I reduced the problem to a very simple example:

      In the example applet, I have an signed jar (signed-1.0-SNAPSHOT.jar) and an unsigned jar (unsigned-1.0-SNAPSHOT.jar). The signed jar contains the applet class (mixed/signed/SignedApplet.class), which in turn tries to instantiate a class from the unsigned jar (UnsignedLibrary) and call a method of it. When not using the Trusted-Library manifest attribute in the signed jar, I get the mixed code warning. If I select "No", it works, as expected. The same is true, when I sign both jars or unset the warning in the control panel.

      However, if I use the Trusted-Library manifest attribute in the signed jar, the applet will give me NoClassDefFoundError in the java console.

      I don't see any problems lately with this setting, so it is likely, I am missing something in my configuration, but I cannot find it.

      width="1000" height="500">

      <param name="cache_option" value="Plugin">
      <param name="cache_archive" value="unsigned-1.0-SNAPSHOT.jar,signed-1.0-SNAPSHOT.jar">
      <param name="cache_version" value=",">

      The same happens with

      width="1000" height="500">


      MANIFEST.MF of signed-1.0-SNAPSHOT.jar

      Manifest-Version: 1.0
      Trusted-Library: true
      Build-Jdk: 1.6.0_24
      Built-By: Walter Lütgenau
      Created-By: Apache Maven
      Archiver-Version: Plexus Archiver

      The SignedApplet.java

      package mixed.signed;

      import javax.swing.JApplet;
      import mixed.unsigned.UnsignedLibrary;

      public class SignedApplet extends JApplet
      public void start()
      UnsignedLibrary library = new UnsignedLibrary();
      System.out.println( library.getMessage() );


      package mixed.unsigned;

      public class UnsignedLibrary
      public String getMessage() {
      return "unsigned";


      Java Plug-in 1.6.0_26
      Using JRE version 1.6.0_26-b03 Java HotSpot(TM) Client VM
      User home directory = C:\Dokumente und Einstellungen\Walter Lütgenau
      c: clear console window
      f: finalize objects on finalization queue
      g: garbage collect
      h: display this help message
      l: dump classloader list
      m: print memory usage
      o: trigger logging
      q: hide console
      r: reload policy configuration
      s: dump system and deployment properties
      t: dump thread list
      v: dump thread stack
      x: clear classloader cache
      0-5: set trace level to <n>

      Exception in thread "thread applet-mixed/signed/SignedApplet.class-1" java.lang.NoClassDefFoundError: mixed/unsigned/UnsignedLibrary
           at mixed.signed.SignedApplet.start(SignedApplet.java:14)
           at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      Caused by: java.lang.ClassNotFoundException: mixed.unsigned.UnsignedLibrary
           at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
           at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
           at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
           at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
           at java.lang.ClassLoader.loadClass(Unknown Source)
           ... 3 more

      This is the most simple usage of mixed code I can think of and still it does not work. What am I doing wrong, has anyone an idea? Did anyone get the Manifest attribute working, if true, can he give me a complete example, please?

      Edited by: 883189 on Sep 4, 2011 7:14 AM
        • 1. Re: Trusted-Library: true not working
          Trusted libraries are loaded by a class loader which is the parent of the class loader used for loading applet and WebStart application code. So the application can link to the trusted library, but the trusted library has its integrity maintained and can't be force to link to the untrusted code.

          However, the trusted library can still explicitly call application code via reflection. The normal class loader is available through the thread context class loader:
          Class.forName("mypackage.MyClass", false, Thread.currentThread().getClassLoader())
          • 2. Re: Trusted-Library: true not working
            Thank you for the quick reply.

            However, I don't get the point. Do you say, a trusted library cannot call an untrusted (= unsigned) library other than by reflection?

            Then how do I use the unsigned library from my applet? The problem is mixed code (= signed and unsigned jars), there should be a way to use the unsigned jars of 3rd party contributions. For example, I would have an applet and would like to create a PDF using itext. The itext jar is unsigned, how can I use it? The same is true for the apache libraries like commons etc.

            From http://download.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html, I understood, that the applet jar (= the jar, that contains the class inheriting from Applet and referred to in the "code" attribute of the applet tag), should be signed and have a manifest with attribute "Trusted-Library: true" set. Then it could use classes from unsigned jars. There may be some difficulties when using reflection (Class.forName, Resource.getBundle etc.), but in general it could use the untrusted libraries without change. The explanation of the new classloader hierarchy in that document did not match (the unsigned jars have been described there as being loaded by the applet classloader, which would be the child of the new trusted library class loader. So the classes of the trusted library would not see the untrusted classes as to my understanding) but the rest of the description pointed to that.

            Did I understand this incorrectly? Then how can I use the unsigned libraries? What I need is a simple, but complete example that is working, including the applet tag, two jars, one unsigned and one signed and the code of the source and the manifests of these jars. Can you scetch such an example or do you know of some?

            Anyway, thank you again for the response.

            Edited by: 883189 on Sep 5, 2011 2:17 AM