Java Web Start security dialogs with Java 7 update 51

StackOverflow https://stackoverflow.com/questions/21207037

  •  29-09-2022
  •  | 
  •  

Question

I build a Java Web Start application signed with a valid certificate.

When I star the application the security dialog appear correctly as show in this figure

http://www.java.com/en/img/download/trusted_signed.jpg

My issue is about the "do not show again" checkbox.

If the attributes href are present in the jnlp tag of the jnlp file the checkbox appear.

If the attribute are not present, the checkbox doesn't appear and the run needs to be confirmed every time.

(Example: < jnlp spec="1.0+" codebase="http://docs.oracle.com/javase/tutorialJWS/samples/deployment/webstart_ComponentArch_DynamicTreeDemo" href="dynamictree_webstart.jnlp">

)

This is a problem because my jnlp file is under a password protected directory and if href is specified, the Java Web Start application try to retrieve it as the other resources. ( result in access denied because only the browser session is authenticated and the run fails)

The documentation at Deploying a Java Web Start Application said:

The codebase and href attributes are optional when deploying Java Web Start applications that will run on at least the Java SE 6 update 18 release or later. You must specify the codebase and href attributes when deploying Java Web Start applications that will run with previous releases of the Java Runtime Environment software.

What is the right code? With href or without?

Is this a BUG or a feature?

How can I show the "don't show again" checkbox without having to specify the href attribute?

Was it helpful?

Solution

After much searching and testing we've found only these two ways for a Java Web Start app, properly signed with a trusted 3rd party cert, to be deployed under JRE 1.7.0_51 & display the expected Security dialog (with "Do not show this again..." check-box):

1) Add href= with the launch file self-reference as you describe above, e.g:

jnlp spec="1.0+" codebase="http://some.dn.com/OurAppHome/"  href="launch.jnlp"

Which is not straight forward for sites that generate the JNLP through, say ASP, or under other condtions like you note above.

2) The proper thing: JAR manifest such that it shows no Missing Blah-Blah-Blah manifest attribute in console log. The minimal additional manifest attributes for 7u51 we've found must be present (*s as test values):

Permissions: all-permissions
Codebase: *
Application-Library-Allowable-Codebase: *

So our working full build script test manifest looks something like this (version is generated):

         <manifest>
             <attribute name="Application-Name" value="Our App Name"/>
             <attribute name="Main-Class" value="com.whatever.main.AppLoader"/>
             <attribute name="Class-Path" value="./Corejar.jar ./Support.jar"/>
             <attribute name="Built-By" value="${user.name}"/>
             <attribute name="Permissions" value="all-permissions"/>
             <attribute name="Codebase" value="*"/>
             <attribute name="Application-Library-Allowable-Codebase" value="*"/>
             <attribute name="Trusted-Only" value="true"/>
             <attribute name="Specification-Title" value="Our App Name"/>
             <attribute name="Specification-Version" value="${version}"/>
             <attribute name="Specification-Vendor" value="Our Company Name"/>
         </manifest>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top