问题
I recently stumbled across a problem when starting my application via JNLP. I now narrowed it down to a java.security.AccessControlException, which denies me to shut down my ExecuterService.
So, I did some reading and found out that I'll need the permission (modifyThread) to successfully shut down the service. I also found out that I should use the <security>-tag (in the JNLP-file) to request it, but I'm a little confused about how.
The documentation of the tag says:
[...] If the
all-permissionselement is specified, the application will have full access to the client machine and local network. If an application requests full access, then all JAR files must be signed. The user will be prompted [...]
From reading this it seems to me, that I can choose to either get all or no permissions... which seems like a confusing Implementation. Because I only need the one to shutdown my service.
I also read this article, telling me that I should not request all permissions, because I would then open up the users computer for malicious code.
So, is there a way to specify that I only need the specific permission (modifyThread) and I therefor don't need to sign my jar? Or will I have to go with the "sign my jar and request everything"-approach?
回答1:
..will I have to go with the "sign my jar and request everything"-approach?
Yes. JWS permissions come in 3 levels1, the only one where modifying threads is permitted, is all-permissions.
1) JWS security levels
- Sand-boxed. Provides a very limited environment. Access to things like printers and the local file-system is only permitted using the JNLP API services, which provide more limited forms of
Fileafter prompting the user. Come with window banners. Can only communicate with own server. j2ee-application-client-permissions- provide those JNLP API services unprompted (after the user accepts the digitally signed code) removes the window banners.all-permissions- pretty much anything, including replacing the existing security manager (yes, even 'all permissions' code gets a security manager in JWS - it is just very lenient).
Also chase the links from the JNLP & JWS pages. I can personally recommend those summaries & links.
来源:https://stackoverflow.com/questions/10918777/jnlp-get-a-permission