JNLP + Applet + Bouncy Castle_问答_开发者_运维开发者技术经验分享

I have a JWS (Java Web Start) deployed applet, that uses the following libraries/jars:

red5.jar spring-beans.jar spring-context.jar spring-core.jar apache-mina.jar

bcprov-ext-jdk16-145 (Bouncy castle)

The reason I put all of those libraries in the applet is that the red5.jar requires you also have the others. However, BouncyCastle somehow doesn't get loaded by the ClassLoader, nor gets signed by Netbeans during compilation of the WebStart project. Any pointers how can I resolve that ?

Here is what I get if I include Bouncy Castle in my archive:

basic: exception: JAR resources in JNLP file are not signed by same certificate.
exception: JAR resources in JNLP file are not signed by same certificate.
JNLPException[category: Launch File Error : Exception: null : LaunchDesc

And here is what I get when I even DO NOT INCLUDE IT IN THE PROJECT:

com.sun.deploy.net.FailedDownloadException: Unable to load resource: file:/C:/JNA/dist/lib/bcprov-ext-jdk16-145.jar

I do not know which of the jars requires the Bouncy Castle jar, as it fails to indicate so in my IDE. In addition, even if I include the Bouncy Castle.jar in my project, Netbeans SHOULD sign it by default, but it doesn't, although it signs ALL other jars in my Web Start project. A quick check with jarsigner, however, indicates all jars, including Bouncy Castle, are signed, so I safely assume they are all signed, with the exception that Bouncy Castle is signed with another certificate.

And here is my question: should I try to sign all the files manually (so they all have the same certificate) or is the problem somewhere else (like BouncyCastle can't be signed in an applet, or something)?

Any pointers would be highly appreciated

EDIT:

I basically have TWO approaches, both failed up to now:

Approach 1. Extract each jar's directory tree and dump them together in a shared directory, then make a jar of this directory, so all the files in it are signed by the same certificate ( one jar, one certificate, right..) However, spring STILL expects the files to be organized like this: dist\libs\bcProv.jar, instead of dist\libs\allLibs.jar, where all libraries are dumped into the allLibs.jar. The approach fails miserably because spring can't find any of the libraries when deployed through JWS.

Approach 2. Sign all jars manually WITH the SAME certificate. After spending 10 minutes manually signing the ja开发者_高级运维rs, this approach also fails AND has the audacity to throw an error that bcProv.jar is NOT signed with the same certificate as the others.

I am puzzled, baffled and confused. Any ideas? Is it possible at all to have together in an JWS applet those jars:

red5.jar

spring-beans.jar

spring-context.jar

spring-core.jar

apache-mina.jar

bcprov-ext-jdk16-145

Ok, so here is the answer:

First of all, as Bloodboiler suggested, you are in trouble if your applet uses jars signed by different certificates. So your solution should be to sign them all with the same certificate.

You do have some possibilities here:

one is to extract all your project's jars and then combine them into a single jar and sign it. This doesn't work with Spring-context and BouncyCastle for some reason. I am sure if I had the nerve to fiddle with it, it would have worked.

another way is, like M.Joanis suggested, to use FatJar, but it also did not work for some reason. As for the method described above, I did not have the desire or inclination to spend too much time on it.

the third way, the one that WORKED, is to just verify the jars' in your dist directory's certificates. If they differ, you, as Bloodboiler suggested, are in trouble. The solution is to unsign the jars (extract, delete META-INF ) and then sign them ALL with the SAME certificate ( make jar your preferred way, then sign it your preferred way and make sure all the jars you use are signed by you (using jarsigner -verify -cert, etc...)). Then this whole mess should work.

I've had exactly the same problem, just with different jars. If I remember correctly, webstart has a bug in it that causes it to fail unless all jars have been signed with the same sertificate/ with only one certificate.

One solution is to extract library jars and include their content in your application jar, then sign just that jar.

Also had the same problem...

If you ever are using Eclipse as IDE, have a thought for FatJar... Really eases the packaging process. I publish JWS JARs with over 40 JAR dependencies included in them. I FatJar them, then sign the resulting JAR. Works like a charm.