英文:
Trustmanager not used when application is packaged
问题
这让我很头疼:我有一个小型的模块化JavaFX(TornadoFX)应用程序,运行在Java 14上。经过一番苦恼的模块系统设置(感谢Badass JLink插件(https://badass-jlink-plugin.beryx.org/releases/latest/)),我现在试图创建一个自包含的可执行文件。该插件使用jpackager生成可执行文件,它可以运行,但它不会使用(自定义的)信任管理器来进行SSL连接。
我有一个小型的自定义信任库文件,其中包含一些证书。这个文件在启动时加载到密钥库中,然后用于创建一个自定义TrustManager实例。然后,自定义TrustManager和默认TrustManager都合并为一个单独的TrustManager,它首先尝试使用自定义TrustManager验证证书,如果失败,则再次尝试使用默认的TrustManager。
当从IDE中运行应用程序(gradle run)时,这个功能正常运行。该应用程序使用WebView来显示远程登录页面,我可以在日志中看到TrustManager用于验证证书。之后,会发起一个Rest调用到某个终端点,再次调用信任管理器来检查证书。
然而,当我使用jpackager打包应用程序时,这个功能不起作用。现在,由于某种不明原因,TrustManager只用于WebView发起的连接,而不用于Rest调用。
我已经比较了打包运行时和IDE中使用的安全权限/策略,没有区别。
我真的对Java感到非常沮丧。首先是模块系统的痛苦,现在又是这个问题。我完全不知道可能是什么问题。
以下是一些日志。首先是打包版本:
08:27:11.202 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: https://somewebsite.org
08:27:11.400 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Chain
08:27:11.401 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:27:11.401 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:27:11.402 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Stored
08:27:11.402 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:27:11.403 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:27:11.403 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:27:11.450 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Accepted issuers
08:27:11.680 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: http://localhost:8080/...
08:27:12.296 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
08:27:13.940 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
08:27:14.817 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
在Rest调用期间没有调用TrustManager。
现在是从IDE启动的版本:
08:30:24.413 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: https://somewebsite.org
08:30:24.582 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Chain
08:30:24.583 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:24.583 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:24.584 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Stored
08:30:24.585 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:24.586 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:24.643 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Accepted issuers
08:30:24.936 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: http://localhost:8080/...
08:30:25.610 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - Chain
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - Stored
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl
<details>
<summary>英文:</summary>
This is driving me nuts: I have a small modular JavaFX (TornadoFX) application running with Java 14. After a lot of headaches getting the module system to work (thanks to the Badass JLink Plugin (https://badass-jlink-plugin.beryx.org/releases/latest/)) I'm now trying to get a self-contained executable for it. The Plugin uses jpackager to generate the executable and it runs, but it won't use the (custom) trust manager for SSL connections.
I have small custom truststore file with some certificates. This gets loaded into a keystore on startup, which in turn is used to create a custom TrustManager instance. Both the custom TrustManager and the default one are then combined into a single TrustManager, who first tries to validate a certificate using the custom TrustManager and, if this fails, tries again with the default one.
This works fine when running the app from the IDE (gradle run). The application uses a WebView to show a remote login page and I can see in the logs that the TrustManager is used to validate the certificates. After this, a Rest call is made to some endpoint and again the trustmanager is invoked to check the certificates.
However, this does not work when I package the application using jpackager. Now, for some obscure reason, the trustmanager is only used for the connection made by the WebView and not for the Rest call.
I've compared the security permissions / policies for the packaged runtime and the one used in the IDE, no differences.
I'm really getting frustrated with Java. First the pain with the module system, now this. I have absolutely no clue what could be the problem.
Here are some logs. First the packaged version:
08:27:11.202 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: https://somewebsite.org
08:27:11.400 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Chain
08:27:11.401 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:27:11.401 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:27:11.402 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Stored
08:27:11.402 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:27:11.403 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:27:11.403 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:27:11.450 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Accepted issuers
08:27:11.680 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: http://localhost:8080/...
08:27:12.296 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
08:27:13.940 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
08:27:14.817 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
No calls to the trustmanager during the Rest call.
Now the version started from the IDE:
08:30:24.413 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: https://somewebsite.org
08:30:24.582 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Chain
08:30:24.583 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:24.583 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:24.584 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Stored
08:30:24.585 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:24.586 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:24.643 [INFO ] [URL-Loader-1] com.bmw.swhrl.dm.util.TrustManager - Accepted issuers
08:30:24.936 [INFO ] [JavaFX Application Thread] com.bmw.swhrl.dm.ui.view.LoginView - Location: http://localhost:8080/...
08:30:25.610 [INFO ] [tornadofx-thread-1] c.b.s.dm.ui.viewmodel.MainViewModel - Request: https://somewebsite/webapi/config
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - Chain
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<cert>
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - Stored
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:25.731 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - CN=<stored cert>
08:30:25.732 [INFO ] [tornadofx-thread-1] com.bmw.swhrl.dm.util.TrustManager - Accepted issuers
Here the trustmanager is also called for the Rest call and the connection is made.
EDIT:
I've now tried to compare the packaged runtime with the one installed on my system and I've found out that if I copy the file C:\Program Files\Java\jdk-14\lib\modules to the packaged runtimes lib\ folder it's working. Still this does not help much as I do not know where this modules file comes from and why the one shipped with the packaged runtime is larger than the one found in my system wide installation, but maybe someone has an idea.
</details>
# 答案1
**得分**: 3
这个问题帮助我解决了这个问题:https://bugs.openjdk.java.net/browse/JDK-8221674
基本上,结果表明一些模块缺失,例如 jdk.crypto.ec 或一些处理 JSON 序列化/反序列化的模块。我现在已经在 jlink 选项中添加了 "--bind-services",看起来它正在工作。
<details>
<summary>英文:</summary>
This issue has helped me with this problem: https://bugs.openjdk.java.net/browse/JDK-8221674
Basically, it turned out that some modules were missing, e.g. jdk.crypto.ec or some module dealing with JSON serialization / deserialization. I've now added "--bind-services" the the jlink options and it looks like it's working.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论