Java jar:sealed in Manifest

As mentioned in the previous article, you can specify whether certain packages are sealed by using the sealed property in the Manifest.mf file. So what exactly is sealed, and how do you understand it?

For sealed, the official documents are as follows:

    JAR files and packages can is optionally sealed so, a package can enforce consistency within a version.    A package sealed within a jar specifies this all classes defined in so package must originate from the same JAR. Otherwise, a SecurityException is thrown.    If a package specifies sealed through the jar file manifest, then all classes under this packet must be from the same jar file. Otherwise, a SecurityException is thrown out.

To solve this puzzle, do a few tests to understand sealed by testing:

Section 1 Step : Write two classes in a package: ClassA, ClassB:

Under the Com.fjn.java.util package are:

ClassA:

 PackageCom.fjn.java.util.jar;/** *  * @author[email protected] July 10, 2015 **/ Public classClassA {String ID= "100"; String name= "Hello";  Public voidShowinfo () {System.out.println ( This); } @Override PublicString toString () {return"ID:" + This. ID + ", Name:" + This. Name; }}

  

ClassB:

 Package Com.fjn.java.util.jar; /**  *   @author  */Publicclass  ClassB    {publicstatic void Main (string[] args) {        ClassA obj=new  ClassA ();        Obj.name= "Hello, Java sealed";        Obj.showinfo ();    }}

Section 2 Step : Package and set not sealed

Now packaged in two packages (not sealed when packaged):

1) only ClassA into the package, packaged as Java_sealed_v1.jar

2) package The Com.fjn.java.util as a whole, the name is: Java_sealed_v2.jar

List of Java_sealed_v1.jar:

Manifest-version:1.0name:com/fjn/java/util/jar/sealed:fasle

List of Java_sealed_v2.jar:

Manifest-version:1.0sealed:false

3rd Step : Write test Cases  

Create a new project and import the two jars. The test classes are as follows:

 Packagecom.java.sealtest;ImportCom.fjn.java.util.jar.ClassA;ImportCom.fjn.java.util.jar.ClassB; Public classSealedtest { Public Static voidMain (string[] args) {ClassA Obja=NewClassA ();        System.out.println (Obja); System.out.println (Package.getpackage ("Com.fjn.java.util.jar"). issealed ());        System.out.println (Obja.getclass (). Getprotectiondomain (). Getcodesource (). GetLocation ()); ClassB OBJB=NewClassB ();        System.out.println (OBJB); System.out.println (Package.getpackage ("Com.fjn.java.util.jar"). issealed ());        System.out.println (Objb.getclass (). Getprotectiondomain (). Getcodesource (). GetLocation ()); Classb.main (NewString[0]); }}

Step 4 : Test

Test 1) do not use sealed

Execute the above test case with the following results:

id:100, Name:hellofalsefile:/e:/workspace/test/lib/java_sealed_v1.jar[email protected]falsefile:/e:/workspace/ TEST/LIB/JAVA_SEALED_V2.JARID:100, Name:hello, Java sealed

the test executes successfully, as you can see from the results, that the ClassA class is loaded from Java_sealed_v1.jar and CLASSB is loaded from Java_sealed_v2.jar.

Test 2)sealed enabled in Java_sealed_v1.jar.

Set the sealed in Java_sealed_v1.jar MANIFEST.MF to True at this point:

JAVA_SEALED_V1.JAR#MANIFEST.MF:

Manifest-version:1.0name:com/fjn/java/util/jar/sealed:true

JAVA_SEALED_V2.JAR#MANIFEST.MF:  

Manifest-version:1.0sealed:false

perform the test with the following results:  

id:100, Name:hellotrueFile:/e:/workspace/test/lib/java_sealed_v1.jarException in thread "main" java.lang.SecurityException:sealing violation:package Com.fjn.java.util.jar is sealedatjava.net.URLClassLoader.getAndVerifyPackage (Unknown Source) at Java.net.URLClassLoader.defineClass (Unknown Source) at java.net.urlclassloader.access$     (Unknown source) at Java.net.urlclassloader$1.run (Unknown source) at Java.net.urlclassloader$1.run (Unknown so Urce) at java.security.AccessController.doPrivileged (Native Method) at Java.net.URLClassLoader.findClass (Unknown Sou RCE) at Java.lang.ClassLoader.loadClass (Unknown source) at Sun.misc.launcher$appclassloader.loadclass (Unknown source ) at Java.lang.ClassLoader.loadClass (Unknown Source) at Com.java.sealtest.SealedTest.main (sealedtest.java:14)

from this result, it should be program execution to CLASSB objb= New ClassB (); This sentence is wrong.

When executing this statement, to load CLASSB,JVM to find the CLASSB in Java_sealed_v2.jar, and to execute the Getandverifypackage method when found. An error occurred during this process.

Now take a look at the Urlclassloader#getandverifypackage () method:

PrivatePackage Getandverifypackage (String pkgname, Manifest Mans, url url) {//from the collection of packages currently loaded by the ClassLoader, whether the package has already been loaded//if it has already been loaded, the return value of PKG is not null.Package Pkg =getpackage (pkgname); if(Pkg! =NULL) {            //Package found, so check the package sealing.            if(pkg.issealed ()) {//Verify that code source URL is the same.                if(!pkg.issealed (URL)) {                    Throw NewSecurityException ("Sealing Violation:package" + Pkgname + "is sealed"); }            } Else {                //Make sure we aren't attempting to seal the package//At the This code source URL.                if(Man! =NULL) &&issealed (Pkgname, man)) {                    Throw NewSecurityException ("Sealing Violation:can ' t seal package" + Pkgname + ": Already Loaded"); }            }        }        returnPkg; }

from the ClassLoader already loaded package, found the Java_sealed_v1.jar under the Com.fjn.java.util.jar package, this package is sealed, so it throws an error.  

From the above code, you can see another problem: If an unsealed package is loaded, the same package name will be loaded again when the class is different in the jar file.

Test 3)sealed disabled in Java_sealed_v1.jar, sealed enabled in Java_sealed_v2.jar. This test is used to verify the other situation described above.

The manifest status is as follows:

JAVA_SEALED_V1.JAR#MANIFEST.MF:

manifest-version:1.0name:com/fjn/java/util/jar/false

JAVA_SEALED_V2.JAR#MANIFEST.MF:  

manifest-version:1.0true

The test results are as follows:  

id:100, Name:hellofalseFile:/e:/workspace/test/lib/java_sealed_v1.jarException in thread "main" java.lang.SecurityException:sealing Violation:can ' t seal package com.fjn.java.util.jar:already loaded at    Java.net.URLClassLoader.getAndVerifyPackage (Unknown source) at Java.net.URLClassLoader.defineClass (Unknown source) At java.net.urlclassloader.access$100 (Unknown source) at Java.net.urlclassloader$1.run (Unknown source) at Java.net.u Rlclassloader$1.run (Unknown Source) at java.security.AccessController.doPrivileged (Native Method) at Java.net.URLCla Ssloader.findclass (Unknown source) at Java.lang.ClassLoader.loadClass (Unknown source) at Sun.misc.launcher$appclassl Oader.loadclass (Unknown source) at Java.lang.ClassLoader.loadClass (Unknown source) at COM.JAVA.SEALTEST.SEALEDTEST.M Ain (sealedtest.java:14)

The test results verify the above statement.  

From these tests, you know:

When loading a class, if the package containing the class to be loaded is in more than one jar file, there may be a problem at run time as long as one of the sealed is specified.

If a package (which is identical to the same packages) exists in more than one jar file, it is best not to limit it to sealed.

In a project, when multiple versions of a jar coexist, be sure to note the settings for sealed.

Java jar:sealed in Manifest