3 Replies Latest reply on Dec 27, 2004 2:27 PM by feldgen

    Signed Jars

    feldgen
    feldgen Mar 17, 2004 10:03 AM

      Hi,
      I did not find a appropriate forum for this question, but its kind of security-related:

      I am using JBoss 3.0.6 and found out about two problems:

      1. If I put a signed jar into server/xxx/lib JBoss will throw an exception if it is not the first jar being loaded (e.g. name it AAjarname.jar for getting it worked)

      2. There is some problem with the verification of signed jars with specific directory-names jboss is located in...
      When I name the jboss-dir to "jboss-3.0.6-bfa" I get following message when accessing a class in this signed jar:
      class "XXXXX$MD5"'s signer information does not match signer information of other classes in the same package
      With renaming the jboss directory to something else everything works fine...
      This behaviour has not really been nice for me as it took me a day to find out about...
      Did anybody else had this specific error?

      • 4419 Views
      • Tags:
        • 1. Re: Signed Jars
          starksm64
          starksm64 Mar 21, 2004 12:41 PM (in response to feldgen)

          I don't have jboss-3.0.6 laying around so I tried using jboss-3.2.3 and signed the default/lib/{jbossha.jar,jboss.jar} and renamed them signed-jboss.jar
          signed-jbossha.jar so that they are not being loaded first and this starts up fine.

          I also tried renaming the jboss-3.2.3 dist as jboss-3.0.6-bfa and this did not show any different behavior so either its an issue with 3.0.6 or I'm not reproducing the issue. Can you try jboss-3.2.3?

          This is on a winxp pro system running:
          [starksm@banshee bin]$ java -version
          java version "1.4.2_03"
          Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_03-b02)
          Java HotSpot(TM) Client VM (build 1.4.2_03-b02, mixed mode)

            • Actions
          • 2. Re: Signed Jars
            feldgen
            feldgen Mar 22, 2004 12:34 AM (in response to feldgen)

            Hi scott,

            I will try jboss-3.2.3 but this will take some time...I'll post
            the results of this test.

            Btw, I am using Gentoo-Linux with sun-jdk-1.4.1_05

            Regards,

            Lutz Feldgen

              • Actions
            • 3. Re: Signed Jars
              feldgen
              feldgen Dec 27, 2004 2:27 PM (in response to feldgen)

              Hi Scott,

              I completely forgot about this posting...

              I tested a while and it seems that the complete jboss-path is responsible for that issue. Maybe the classloaders do theirselves to create this error, I will check the used Classloaders and their order of usage...

              regards,

              Lutz

                • Actions