Java guru question

L. Adrian Griffis adrian at nerds.org
Sat Jun 21 22:21:48 CDT 2003 

On Sat, 21 Jun 2003, Jason Clinton wrote:
> L. Adrian Griffis wrote:
> Yes, more acuratley, though, the JRE promted about the certificate -- 
> not the browser. It was a metal Java window that popped up asking me to 
> approve a certificate from VeriSign.

Okay.  That suggests that it's not rejecting the first cert that
it finds.  Also, I've been digging into the ClassLoader methods
a bit, and it looks like they are careful to differentiate different
situations, so I am guessing the wording of the message was NOT
misleading.  It probably is complaining about a mismatch of certs.

> >In any caes, I think this is not a simple matter of the security
> >manager not being configured to permit the same operations by an
> >applet.  This has something to do with a check for signatures so
> >that the applet could potentially be granted additional privileges.
> >The exception is originating in this check of signatures.
> >
> So, can I disable that checking via the aforementioned java.secuirty 
> preferences file?

It looks like the call to "checkCerts" is being made within
"java.lang.ClassLoader".  I don't see anything in the API
for ClassLoader that suggests you can turn off cert checking.
I'm guessing "checkCerts" is a private method, and that this
is why I can't find API documentation for it.  The next two
classes that are involved are "ProtectionDomain" and "CodeSource".
The API docs for these two classes do not seem to suggest any
hooks through which we might configure their behavior.  The only
thing at all interesting I found was in the description of
"defineClass" in "ClassLoader".  Looks like it will skip the
cert checking if you don't pass a name, I don't think we can
configure the calling classes not to pass a name.

It would be interesting to grab the ".jar" file that contains
the package in question, and see if it really contains problems
that would explain this exception, but I am not familiar with
the process of building a ".jar" file with all the right certs,
so I wouldn't know how to check it.

I'm stumped, for the moment, at least.

Adrian

More information about the Kclug mailing list