I have had a brief search in Sta开发者_JAVA百科ckOverflow, it seems that for a webstart application, if some of the JARs are signed and other are unsigned, it will end up treated as unsigned if unsigned code are accessed in call stack.
However, what if I only put resources (e.g. config files) in an unsigned JAR? (In fact I have some environment-dependent configs that I want to centralize in a separate JAR). If all other JARs containing "code" are signed, will it runs fine as signed application?
Unsigned Jars can be put in a sand-boxed extension and used by an app. that requests j2ee-application-client-permissions
or all-permissions
.
To avoid the mixed code warning that this produces, see Deploying Signed Applications and Applets Securely Without a Mixed Code Warning.
One thing to keep in mind in such a scenario: you can NOT have Java classes from signed and unsigned (or signed using different certificates) JARs in the same package - it will cause a SecurityException during class loading.
精彩评论