Unsigned Java Web Start Spring Application?
I have a Spring application that I want to distribute via Java Web Start. The application will need to be unsigned and thus sandboxed by JWS. However, all attempts to do so don't work as Spring fails to resolve xsd schemalocations in a sandboxed environment.
Here's a sample application that reproduces the problem:
HelloWorldJws.java:
SimpleServiceBean.javaCode:package org.foo; import org.springframework.context.ApplicationContext; import org.springframework.context.support.ClassPathXmlApplicationContext; public class HelloWorldJws { public static void main(String[] args) { new HelloWorldJws().doIt(); } private void doIt() { System.out.println("HelloWorldJws!"); ApplicationContext ctx = new ClassPathXmlApplicationContext("/applicationContext-http-schema.xml"); // ApplicationContext ctx = new ClassPathXmlApplicationContext("/applicationContext-classpath-schema.xml"); SimpleServiceBean serviceBean = ctx.getBean(SimpleServiceBean.class); System.out.println("ServiceBean: " + serviceBean.getStringProp()); System.out.println("Exiting..."); } }
applicationContext-http-schema.xml:Code:package org.foo; import org.springframework.stereotype.Service; @Service public class SimpleServiceBean { private String stringProp; public String getStringProp() { return stringProp; } public void setStringProp(String stringProp) { this.stringProp = stringProp; } }
hello.jnlp:Code:<?xml version="1.0" encoding="UTF-8" standalone="no"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/tool http://www.springframework.org/schema/tool/spring-tool-3.1.xsd"> <context:annotation-config /> <context:component-scan base-package="org.foo" /> </beans>
Output:Code:<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" href="hello.jnlp" version="1.5.0"> <information> <title>Hello</title> <vendor>VENDOR</vendor> <homepage href="www.foo.org" /> <offline-allowed>false</offline-allowed> </information> <update check="always" policy="always" /> <application-desc name="Hello World Java Web Start" main-class="org.foo.HelloWorldJws"> </application-desc> <security> <!-- <all-permissions/> --> </security> <resources> <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se"/> <jar href="build/libs/HelloWorldJws-1.0.0.jar" download="eager" /> <jar href="dist/slf4j-api-1.5.6.jar" download="eager" /> <jar href="dist/slf4j-log4j12-1.5.6.jar" download="eager" /> <jar href="dist/log4j-1.2.15.jar" download="eager" /> <jar href="dist/spring-beans-3.1.2.RELEASE.jar" download="eager" /> <jar href="dist/spring-asm-3.1.2.RELEASE.jar" download="eager" /> <jar href="dist/spring-context-3.1.2.RELEASE.jar" download="eager" /> <jar href="dist/spring-core-3.1.2.RELEASE.jar" download="eager" /> <jar href="dist/spring-expression-3.1.2.RELEASE.jar" download="eager" /> <jar href="dist/com.springsource.slf4j.org.apache.commons.logging-1.5.6.jar" download="eager" /> </resources>" </jnlp>
I get the following Security Warning dialog box popup from JWS:
tcawley-jws-spring.jpg
The JWS Console shows:
Note, I don't get these errors if I sign the jars and specify <all-permissions/> in the jnlp.Code:security: JAVAWS AppPolicy Permission requested for: file:/D:/dev4/HelloWorldJws/dist/spring-asm-3.1.2.RELEASE.jar security: Add sandbox permissions network: Connecting http://www.springframework.org/schema/beans/spring-beans-3.1.xsd with proxy=HTTP @ localhost/127.0.0.1:8888 network: Cache entry not found [url: http://www.springframework.org/crossdomain.xml, version: null] network: Connecting http://www.springframework.org/crossdomain.xml with proxy=HTTP @ localhost/127.0.0.1:8888 network: Cache entry not found [url: http://www.springsource.org/crossdomain.xml, version: null] network: Connecting http://www.springsource.org/crossdomain.xml with proxy=HTTP @ localhost/127.0.0.1:8888 network: Connecting http://www.springsource.org/crossdomain.xml with cookie "SESS3d5db4009c20f237ef34ad61b7610c98=mcpteb4sodh7cftidbstbjcpi1"
Moving on, I recall several posts that say you have to use classpath: xsd schemalocations. So I try:
HelloWorldJws.java:
applicationContext-classpath-schema.xmlCode:... ApplicationContext ctx = new ClassPathXmlApplicationContext("/applicationContext-classpath-schema.xml"); ...
Which fails with:Code:<?xml version="1.0" encoding="UTF-8" standalone="no"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans classpath:org/springframework/beans/factory/xml/spring-beans-3.1.xsd http://www.springframework.org/schema/context classpath:org/springframework/context/config/spring-context-3.1.xsd http://www.springframework.org/schema/tool classpath:org/springframework/beans/factory/xml/spring-tool-3.1.xsd"> <context:annotation-config /> <context:component-scan base-package="org.foo" /> </beans>
tcawley-jws-spring2.jpg
Again, if I sign the jars and specify <all-permissions/> in the jnlp, then it works and I see in fiddler that I don't have any network connections to www.springframework.org.
Question:
Is it possible to use Spring in an application and Java Web Start it in an untrusted environment?
I seem to only get this problem when using annotation-based Spring (e.g., @Service, <context:annotation-config />, <context:component-scan base-package="org.foo" />), and not with traditional xml-bean-declaration Spring.
It seems as though JWS is restricting the classpath from Spring.
Thanks in advance!
Tom
Reply With Quote
