Removing signature from JAR file with JCE providers leads to SecurityException #3
Comments
|
Leaving JAR files unmodified if they don't reference any EE class sounds like the best solution to me. This will probably require buffering the files in memory. |
|
I think users should probably use scripting to exclude problem JARs from the migration. Trying to do too much would lead to more problems, here a likely excessive memory use [there is the same problem with SB which wants some uncompressed JARs, also not doable without full load in memory]. This tool is IMO better if it stays simple. |
|
How about adding a command line option to exclude certain JAR files from getting migrated? It adds just a little bit of complexity in how to use the tool, but it has no impact on memory usage. And it is maybe useful in other scenarios as well. |
|
Yes, a resource filtering pattern or some kind could be a good add with plenty of uses. |
What is an excessive memory usage? A typical jar easily fits in the heap allocated by default to the JVM. This tool is mainly used at build time on beefy machines, I don't think the memory usage is really a concern.
Good idea, something like an |
|
Also |
ebourg
changed the title
and others
If this migration tool removes the cryptographic signature from a JAR file which contains JCE providers (e.g., Bouncy Castle), Java refuses to use these providers afterward:
I see two possible solutions:
I think that solution 1 is easier to implement, since it does not require special knowledge about JCE providers (or other features which require signed JAR files).
Bouncy Castle's main JAR file does not have dependencies on any Java EE classes. This means that both solutions would work for it.
The text was updated successfully, but these errors were encountered: