Missing code signer information for third party JAR [message #1737647] |
Mon, 11 July 2016 14:41 |
Martin Aulich Messages: 2 Registered: July 2016 |
Junior Member |
|
|
Hello everybody,
I have a question regarding signed third party JARs in OSGI Bundles. It is about a custom ODA datasource for BIRT, but since I suspect my problem to be about the classloading, I used this forum - if I'm mistaken please shoot and I'll move the post.
My Goal:
Developing a BIRT ODA data source (as an OSGI bundle) which connects to a third party software. This software comes with a Java API, which is distributed in a signed JAR file. Furthermore this software enforces security checks to make sure that sensitive methods of the API are just called from their own (signed) classes. Hence they check the callers signature (see: docs.oracle.com/javase/7/docs/api/java/lang/Class.html#getSigners().
What I did so far:
I created an OSGI bundle via maven, which contained my custom classes as well as the third party JAR. To make sure the classloading works, I have added the JAR to my Bundles class path using the following line in my manifest (the whole manifest can be found attached):
Bundle-ClassPath: target/lib/fs-access-5.2.311.jar,.
The manifest of the third party JAR looks like this (I have stripped out the sensitive parts):
Manifest-Version: 1.0
Implementation-Title: ...
Implementation-Version: ...
Specification-Vendor: ...
Application-Name: ...
...-Revision: ...
Created-By: 1.7.0_80-b15 (Oracle Corporation)
...-BuildTime: 28.01.2016 12:13:18
...-Branch:
...-ReleaseTag: R3
Implementation-Vendor: ...
Ant-Version: Apache Ant 1.9.4
Trusted-Library: true
...-Version: 5.2.311
Permissions: all-permissions
Specification-Title: ...
Specification-Version: ...
Main-Class: de/.../.../client/SomeClass
Codebase: *
Name: de/.../or/query/Constraint.class
SHA1-Digest: nN9F/bXjncHe0sZsRJehnnvo5/4=
I'm using a fresh BIRT bundled eclipse to test my bundle, no additional configuration made. At least none that I'm aware of.
My Problem:
The bundle can be compiled, packaged and deployed to the BIRT eclipse instance without any problems. The classes of the third party JAR can be resolved and if I'm printing the classloader it says EquinoxClassLoader...
But as soon as I call sensitive API code (which invokes a security check) I'm getting an Exception like this:
Exception in thread "main" java.lang.SecurityException: Access denied to full.qualified.ClassName! Class full.qualified.ClassName has missing or invalid signature!
Also when I'm manually retrieving the signer information via docs.oracle.com/javase/7/docs/api/java/lang/Class.html#getSigners(), it won't work and I'm getting null.
I've worked with this API JAR for a very long time in standalone applications and web applications without any Issue, but I'm quite new to OSGI.
Can you please help me and suggest potential workarounds/means for a more detailed error analysis.
Thanks a lot in adance,
Martin
-
Attachment: MANIFEST.MF
(Size: 0.56KB, Downloaded 170 times)
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.24684 seconds