AbcLinuxu:/ Poradna / Linuxová poradna / openjdk 1.8 Cannot grant permissions to unsigned jars.

Štítky: Dell, deployment, For, Java, net, problém, programování, signed, Windows

Dotaz: openjdk 1.8 Cannot grant permissions to unsigned jars.

24.5.2019 11:53 majales | skóre: 30 | blog: Majales
openjdk 1.8 Cannot grant permissions to unsigned jars.

Přečteno: 1464×

Odpovědět | Admin

Ahoj,

Snažím se připojit k dell drac konzoli, pomocí jnlp souboru, ale narážím security problém javy který neumím obejít. Nastavil jsem java.security podle doporučení.

Nastavil jsem povolení nepodepsaných appletů: do ~/.config/icedtea-web/deployment.properties

deployment.security.level=ALLOW_UNSIGNED

výsledkem ovšem je pouze tato java chyba:

net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.     
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:822)
  at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:531) 
  at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:945) 
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
  at net.sourceforge.jnlp.runtime.JNLPClassLoader$SecurityDelegateImpl.getClassLoaderSecurity(JNLPClassLoader.java:2481)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:806)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.<>(JNLPClassLoader.java:338)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)     
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:814)     ... 2 more 
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.     
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:822)     
  at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:531)     
  at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:945) 
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader$SecurityDelegateImpl.getClassLoaderSecurity(JNLPClassLoader.java:2481)    
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)   
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:806)   
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.<>(JNLPClassLoader.java:338)    
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)    
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)   
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)   
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:814) 
... 2 more

Nevěděli byste někdo co s tím? Zkoušel jsem ještě nastavit /etc/java-8-openjdk/security/java.policy

permission java.net.SocketPermission "localhost:443", "connect,resolve";
permission java.net.SocketPermission "localhost:5900", "connect,resolve";
permission java.net.SocketPermission "localhost:5901", "connect,resolve";

Ale zřejmě to není to samé co java exceptions na windows.

Nástroje: Začni sledovat (0) ?

Odpovědi

24.5.2019 22:05 Max | skóre: 72 | blog: Max_Devaine
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Jseš si jist, že to má být do "~/.config/icedtea-web/deployment.properties"?
Nemá to být do : ".java/deployment/deployment.properties" ?
Nebo to máš jako symlink do "~/.config/icedtea-web/deployment.properties"?
Zdar Max

Měl jsem sen ... :(

25.5.2019 11:25 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

/etc/java-8-openjdk/security/java.security - upravit alebo rovno zakomentovat tieto riadky:

jdk.certpath.disabledAlgorithms

jdk.jar.disabledAlgorithms

jdk.tls.disabledAlgorithms

27.5.2019 09:46 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Kdepak.. ani jedno nepomohlo.. Asi to dělám blbě.. Na webu jsem se dočetl o sandboxování, ale tohle mi dialog nenabízí.. Tohle je můj .jlnp soubor, který se snažím spustit:

<\?xml version="1.0" encoding="UTF-8"?>
<\jnlp codebase="https://localhost:443" spec="1.0+">
<\information>
<\title>DRAC5 Console Redirection Client<\/title>
<\vendor>Dell Inc.<\/vendor>
<\icon href="https://localhost:443/oma/images/logo.gif" kind="splash"/>
<\shortcut online="false"/>
<\/information>
<\application-desc main-class="com.avocent.drac5.kvm.Main">
<\argument>title=DRAC5 vKVM<\/argument>
<\argument>ip=localhost<\/argument>
<\argument>user=eeea9ddb4d763dc2ef560bfcd82630b3<\/argument>
<\argument>passwd=<\/argument>
<\argument>kmport=5900<\/argument>
<\argument>vport=5901<\/argument>
<\argument>apcp=0<\/argument>
<\argument>version=1<\/argument>
<\argument>sslv3=1<\/argument>
<\/application-desc>
<\security>
<\all-permissions/>
<\/security>
<\resources>
<\j2se version="1.6 1.5 1.4+"/>
<\jar href="plugins/vkvm/avctDRAC5Viewer.jar"/>
<\/resources>
<\resources os="Windows">
<\nativelib href="plugins/vkvm/avctKVMIOWin32.jar"/>
<\/resources>
<\resources os="Linux">
<\nativelib href="plugins/vkvm/avctKVMIOLinux.jar"/>
<\/resources>
<\/jnlp>

27.5.2019 19:34 k3dAR | skóre: 63
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

starsi/jinej prohlizec(pripadne do jnlp (vzdy po prihlaseni) ulozit na disk a pustit rucne a/nebo javu a/nebo od oracle ;-)

mel sem podobnej problem se starym Dell KVM, s openjdk se nedarilo, ale s oracle java6 jo (s oracle java8 ne)...

porad nemam telo, ale uz mam hlavu... nobody

28.5.2019 08:59 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Ovšem jak spustit ručně? a který z nich? když to zkusím z cache, kde jsem ho podepsal tak řve že nemám jnlp soubor..

28.5.2019 09:06 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Kokotina. DRAC5 (aj DRAC4) normalne funguje s OpenJDK 8. Len treba povolit tie "nebezpecne" algoritmy, aby java videla podpisy. Z browsera sa to spusta cez Java Web Start (javaws), ktory je asociovany so subormi jnlp, takze vysledok je uplne rovnaky ako pri rucnom spusteni.

28.5.2019 09:32 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Ale to jsem zkoušel a nefunguje..

cat /etc/java-8-openjdk/security/java.security |grep "jdk.certpath.disabledAlgorithms=\|jdk.jar.disabledAlgorithms=\|jdk.tls.disabledAlgorithms="
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
#jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
#jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
#jdk.tls.disabledAlgorithms=DH keySize < 768
#jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \ EC keySize < 224

a výsledek je:

javaws  /home/username/Downloads/vkvm.jnlp
selected jre: /usr/lib/jvm/default-java
WARNING: package javax.jnlp not in java.desktop
Unable to use Firefox's proxy settings. Using "DIRECT" as proxy type.
netx: Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.)
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:822)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:531)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:945)
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
	at net.sourceforge.jnlp.runtime.JNLPClassLoader$SecurityDelegateImpl.getClassLoaderSecurity(JNLPClassLoader.java:2481)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:806)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.<\init>(JNLPClassLoader.java:338)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:814)
	... 2 more

Oni jsou podepsané, ale platnost podpisu končí cca 2013..

java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b03-0ubuntu1.18.04.1-b03)
OpenJDK 64-Bit Server VM (build 25.212-b03, mixed mode)

28.5.2019 10:44 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Aku verziu firmware ma DRAC?

$ javaws /tmp/mozilla_blabla0/vkvm.jnlp
java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/bin/xprop" "execute")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkExec(SecurityManager.java:796)
        at java.lang.ProcessBuilder.start(ProcessBuilder.java:1018)
        at java.lang.Runtime.exec(Runtime.java:620)
        at java.lang.Runtime.exec(Runtime.java:450)
        at java.lang.Runtime.exec(Runtime.java:347)
        at org.GNOME.Accessibility.AtkWrapper.<clinit>(AtkWrapper.java:34)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at java.awt.Toolkit.loadAssistiveTechnologies(Toolkit.java:805)
        at java.awt.Toolkit.getDefaultToolkit(Toolkit.java:886)
        at javax.swing.UIManager.getSystemLookAndFeelClassName(UIManager.java:611)
        at net.sourceforge.jnlp.runtime.JNLPRuntime.initialize(JNLPRuntime.java:218)
        at net.sourceforge.jnlp.runtime.Boot.init(Boot.java:326)
        at net.sourceforge.jnlp.runtime.JnlpBoot.run(JnlpBoot.java:58)
        at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:245)
        at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:63)
        at java.security.AccessController.doPrivileged(Native Method)
        at net.sourceforge.jnlp.runtime.Boot.main(Boot.java:195)
This application does not specify a Codebase in its manifest. Please verify with the applet's vendor. Continuing. See: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html for details.
This application does not specify a Codebase in its manifest. Please verify with the applet's vendor. Continuing. See: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html for details.
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
 Packet log written to: /home/blabla/c:\javaViewer.log
==== propertyChange: (SESSION_STATE):CONNECTING====
05/28/2019 10:33:45:595:  SSL: context protocol = SSLv3
05/28/2019 10:33:45:726:    SSLv2Hello
05/28/2019 10:33:45:752:    SSLv3
05/28/2019 10:33:45:770:    TLSv1
05/28/2019 10:33:45:791:    TLSv1.1
05/28/2019 10:33:45:800:    TLSv1.2
05/28/2019 10:33:45:834:  ======connectToPort======
05/28/2019 10:33:46:003: User Login Request: 0x100
05/28/2019 10:33:46:082:  ======connectToPort - sendRequest======
05/28/2019 10:33:46:108: packet type( 0x100)
05/28/2019 10:33:46:091:  SSL: checkServerTrusted() called.
05/28/2019 10:33:46:190:  SSL: getAcceptedIssuers() called. Sending packet: com.avocent.kvm.e.a.bf@96a35c (8, 208).
...

$ java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
OpenJDK Server VM (build 25.212-b01, mixed mode)

$ jarsigner -verify -verbose avctDRAC5Viewer.jar | tail -n 1
The signer certificate expired on 2013-08-31. However, the JAR will be valid until the timestamp expires on 2024-03-03.

28.5.2019 10:55 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

RAC Information
	Name	DRAC 5
	Product Information	Dell Remote Access Controller 5
	Hardware Version	A00
	Firmware Version	1.60 (11.03.03)
	Firmware Updated	Wed Nov 13 15:09:04 2013
	RAC Time	Tue May 28 10:02:09 2019

28.5.2019 11:15 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Když to zkuším přímo z Firefoxu.. tak nevím proč mi píše:

java.vm.version: 11.0.3+7-Ubuntu-1ubuntu218.04.1

přitom je nastavená java 8 pomocí sudo update-alternatives --config java

28.5.2019 12:24 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Skus upgradovat na poslednu 1.65:

https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=7mdxw

28.5.2019 12:55 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Bohužel na tom serveru jede produkce, a záložní momentálně není.. takže upgradovat jentak nemůžu... :-(

28.5.2019 13:08 j
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Draca muzes vpohode za chodu, system jako takovej to nijak neovlivnuje, restartne se to ale jen ten drac. V nejhorsim ti pojde prave a jen drac, ostatne proto to tam je.

Kazdopadne starsi java (6/7) by fungovala IMO lip. Kvuli temhle vyfikundacim (uzasne bezpecny browsery bez podpory rc4, web start ...) mam uz nekolik virtualnich stroju, se starejma verzema javy a browseru (ruzny verze javy se totiz nesnesou i vzajemne ...). A bude to jen horsi a horsi.

28.5.2019 14:32 majales | skóre: 30 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

To si právě nemůžu dovolit.. server mám ve správě už asi 4 roky, ale ještě jsem ho neviděl, do serverovny nemám přístup. Nejblíže jsem byl od serverovny asi 2km když jsem jel po dálnici. Konzole moc často není potřeba, ale někdy se hodí, třeba pro změnu IP stroje.. Na starém nb s windows mi to chodí, ale instalovat kvůli tomu win do virtuálu mi přijde jako overkill.. zkusím ubuntu virtuál s javou 6 nebo 7.

28.5.2019 16:48 kolega
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

takhle to taky resim, ubuntu 12 lxde s openjdk

28.5.2019 20:26 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Presne tak, DRACy aj iLO upgradujem pocas beznej prevadzky a nikdy sa nic nestalo.

Kvoli DRAC4 mam v home rozbaleny Firefox 45.9 (a k nemu samostatny profil). Z Javy som rozchodil vsetko aj v OpenJDK 8 (DRAC, EMC NaviSphere/UniSphere, Brocade). Akurat teraz z Debianu 9 odstranili icedtea-plugin, tak som si z poslednej verzie balika skopiroval IcedTeaPlugin.so do profilu toho stareho Firefoxu (adresar plugins/) a funguje mi to nadalej.

Založit nové vlákno • Nahoru

Tiskni Sdílej: