Hello,
We have some legacy JAR files from a vendor that were previously distributed as an applet, but we'd now like to simplify as a web service.
While the code works when I run it natively within my Eclipse IDE, it fails when I attempt to call it from a web service client after exporting it as a WAR and deploying it on JBoss (5.0.1). The errors I'm getting are security related ("The jar file is not signed" and "WEB-INF/lib/****.jar is not signed by the specified signer.", depending on what modifications I make). Is there anyway for me to tell my application server to ignore JAR signing for this project?
-
Why not sign the jars instead?
Neil McF : When I sign the jars, it doesn't seem to make any difference. If I don't sign the WAR I get "ERROR [STDERR] Login failed: Self-Integrity Check FAILED: java.lang.SecurityException: The jar file is not signed" (regardless if the JARs are signed or not) and if I do sign the WAR I get "ERROR [STDERR] Login failed: Self-Integrity Check FAILED: java.lang.SecurityException: WEB-INF/lib/enthttp.jar is not signed by the specified signer." (regardless if the JARs are signed or not) -
My guess is that your jar has been signed (when it was distributed as an applet) and contains some garbage in META-INF. Remove *.SF, *.RSA, *.DSA from META-INF to "unsign" the jar if not needed.
Neil McF : I've tried removing the files from the META-INF, but when I do so I get a "Self-Integrity Check FAILED: java.lang.SecurityException: The jar file is not signed" error.Pascal Thivent : What happens if you also delete the signing checksums from the manifest file (i.e. each "Name" and "SHA1-Digest" fields from META-INF/MANIFEST.MF)?Pascal Thivent : Actually, I don't understand why you would have to sign this jar. What it this jar doing exactly? Does it contain code doing some kind of voodoo classloader magic?
0 comments:
Post a Comment