Java Web Start security dialogs with Java 7 update 51

4
votes

I build a Java Web Start application signed with a valid certificate.

When I star the application the security dialog appear correctly as show in this figure

http://www.java.com/en/img/download/trusted_signed.jpg

My issue is about the "do not show again" checkbox.

If the attributes href are present in the jnlp tag of the jnlp file the checkbox appear.

If the attribute are not present, the checkbox doesn't appear and the run needs to be confirmed every time.

(Example: < jnlp spec="1.0+" codebase="http://docs.oracle.com/javase/tutorialJWS/samples/deployment/webstart_ComponentArch_DynamicTreeDemo" href="dynamictree_webstart.jnlp">

)

This is a problem because my jnlp file is under a password protected directory and if href is specified, the Java Web Start application try to retrieve it as the other resources. ( result in access denied because only the browser session is authenticated and the run fails)

The documentation at Deploying a Java Web Start Application said:

The codebase and href attributes are optional when deploying Java Web Start applications that will run on at least the Java SE 6 update 18 release or later. You must specify the codebase and href attributes when deploying Java Web Start applications that will run with previous releases of the Java Runtime Environment software.

What is the right code? With href or without?

Is this a BUG or a feature?

How can I show the "don't show again" checkbox without having to specify the href attribute?

1
javasecurityjava-web-start
I don't know how you'd do this without an href, but the question I'd have is why is it in a protected directory? Wouldn't it be simpler/more straightforward for it to be in a public directory? - Makoto
The href attribuite is optional since java 6u18 (as I Said before, please read carefully the question). I need to protect the jnlp! If I could use the Simple Solution I would not ask a questo here - Simone
Applet and web start security features do feel like they're being rushed into production. I would not be surprised if they managed to break non-generic use cases. Your best bet is to keep things uncomplicated and standard. - flup
I had the same issue, I solved it for now by adding the session id and a token to the href string and starting the session again to authenticate, the next issue doing this is that I always seem to get the java logo instead of our own - Egg Vans
Further to this if you launch the app from a shortcut the checkbox is there without the href being present in the original jnlp - Egg Vans

1 Answers

2
votes

After much searching and testing we've found only these two ways for a Java Web Start app, properly signed with a trusted 3rd party cert, to be deployed under JRE 1.7.0_51 & display the expected Security dialog (with "Do not show this again..." check-box):

1) Add href= with the launch file self-reference as you describe above, e.g:

jnlp spec="1.0+" codebase="http://some.dn.com/OurAppHome/"  href="launch.jnlp"

Which is not straight forward for sites that generate the JNLP through, say ASP, or under other condtions like you note above.

2) The proper thing: JAR manifest such that it shows no Missing Blah-Blah-Blah manifest attribute in console log. The minimal additional manifest attributes for 7u51 we've found must be present (*s as test values):

Permissions: all-permissions
Codebase: *
Application-Library-Allowable-Codebase: *

So our working full build script test manifest looks something like this (version is generated):

         <manifest>
             <attribute name="Application-Name" value="Our App Name"/>
             <attribute name="Main-Class" value="com.whatever.main.AppLoader"/>
             <attribute name="Class-Path" value="./Corejar.jar ./Support.jar"/>
             <attribute name="Built-By" value="${user.name}"/>
             <attribute name="Permissions" value="all-permissions"/>
             <attribute name="Codebase" value="*"/>
             <attribute name="Application-Library-Allowable-Codebase" value="*"/>
             <attribute name="Trusted-Only" value="true"/>
             <attribute name="Specification-Title" value="Our App Name"/>
             <attribute name="Specification-Version" value="${version}"/>
             <attribute name="Specification-Vendor" value="Our Company Name"/>
         </manifest>