Fixing the security exception : "class /"" + packageName + "/" does not match trust level of other classes in the same package"

最近遇到了这样的一个问题，一个JWS程序，在JRE1.6.0_13上运行没有问题，但是在JRE1.6.0_22上运行就会报出如下异常，

 

java.lang.SecurityException: class “org.apache.log4j.Logger” does not match trust level of other classes in the same package

 

1. 在oracle网站发现一个说明，

http://download.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html

 

在update19以后会有这个问题。

 

2. 在stackoverflow问了下，http://stackoverflow.com/questions/4680823/java-lang-securityexception-class-org-apache-log4j-logger-does-not-match-trust

 

原因是extension的JNLP没有指定security，加上后解决。

 

3. 开java console的debug，

 

We can see more detail information by enabling the debug info of java console by adding following statement in the deployment.properties under “D:/Documents and Settings/login/Application Data/Sun/Java/Deployment”, the directory varies with your PC. For more detail, refer to http://download.oracle.com/javase/1.5.0/docs/guide/deployment/deployment-guide/properties.html

 

deployment.trace.level=all

 

After enabling this option, we can see much much more info in the java console, which will benefit our debugging a lot. Here is a fragment of the debugging info (before JNLP files change).

 

security: JAVAWS AppPolicy Permission requested for: https://localhost/jars/log4j-1.2.12.jar

security: Add sandbox permissions

security: JAVAWS AppPolicy Permission requested for: https://localhost/jars/jfreechart-1.0.0.jar

security: Add sandbox permissions

…

security: JAVAWS AppPolicy Permission requested for: https://localhost/jars/sessierstub.jar

security: Istrusted: https://localhost/a.jnlp true

security: JAVAWS AppPolicy Permission requested for: https://localhost/jars/libsmmon.jar

security: Istrusted: https://localhost/b.jnlp true

security: JAVAWS AppPolicy Permission requested for: https://localhost/jars/libamv.jar

security: Istrusted: https://localhost/b.jnlp true

security: resource name "org/apache/log4j/Logger.class" in https://localhost/jars/log4j-1.2.12.jar : java.lang.SecurityException: class "org.apache.log4j.Logger" does not match trust level of other classes in the same package

4. The relationship between the security configuration and the jar signature status is shown in following table.

 

<security>

       <all-permissions/>

</security-->

<!--security>

       <all-permissions/>

</security-->

Signed jar file

basic: Main-class: Jar1

cache:  Read manifest for http://localhost:8080/T/jar1_mix.jar: read=347 full=347

security: JAVAWS AppPolicy Permission requested for: http://localhost:8080/T/jar1_mix.jar

security: Istrusted: http://localhost:8080/T/test.jnlp true

security: JAVAWS AppPolicy Permission requested for: http://localhost:8080/T/jar1_mix.jar

security: Istrusted: http://localhost:8080/T/test.jnlp true

network: Connecting socket://127.0.0.1:1964 with proxy=DIRECT

I am in org.apache.log 1

 

hello

basic: Main-class: Jar1

security: JAVAWS AppPolicy Permission requested for: http://localhost:8080/T/jar1_mix.jar

security: Add sandbox permissions

security: resource name "Jar1.class" in http://localhost:8080/T/jar1_mix.jar : java.lang.SecurityException: attempted to open sandboxed jar http://localhost:8080/T/jar1_mix.jar as a Trusted-Library

#### Java Web Start Error:

#### attempted to open sandboxed jar http://localhost:8080/T/jar1_mix.jar as a Trusted-Library

Unsigned jar file

#### Java Web Start Error:

#### Found unsigned entry in resource: http://localhost:8080/T/jar1.jar

basic: Main-class: Jar1

cache: Reading Signers from 0 http://localhost:8080/T/jar1.jar | D:/Documents and Settings/hosun/Application Data/Sun/Java/Deployment/cache/6.0/51/26f984b3-48893e42.idx

network: No certificate info for unsigned JAR file: http://localhost:8080/T/jar1.jar

network: No certificate info for unsigned JAR file: http://localhost:8080/T/jar1.jar

cache:  Read manifest for http://localhost:8080/T/jar1.jar: read=63 full=63

security: JAVAWS AppPolicy Permission requested for: http://localhost:8080/T/jar1.jar

security: Add sandbox permissions

security: JAVAWS AppPolicy Permission requested for: http://localhost:8080/T/jar1.jar

security: Add sandbox permissions

network: Connecting socket://127.0.0.1:1931 with proxy=DIRECT

I am in org.apache.log 1

 

hello

 

5. Java console log contents can be saved, make sure the options are enabled(控制面板=>Java=>advanced=>debug). The logs are located in D:/Documents and Settings/login/Application Data/Sun/Java/Deployment/log

6. For more information about JNLP and Java Web Start,

http://mindprod.com/jgloss/javawebstart.html

http://lopica.sourceforge.net/faq.html

http://download.oracle.com/javase/1.5.0/docs/guide/javaws/developersguide/faq.html

http://download.oracle.com/javase/1.5.0/docs/guide/javaws/developersguide/troubleshooting.03.06.html

http://download.oracle.com/javase/1.5.0/docs/guide/javaws/developersguide/contents.html contains the JNLP spec.