Skip to main content

JOGL and JMF Unsigned Applets

3 replies [Last post]
marvinpwarble
Offline
Joined: 2008-07-26

I realize that you can launch applets that use JOGL (and JMF?) using the JNLP applet launcher, but are there any plans for the future to be able to use these libraries in an applet without using the JNLP launcher and without having to sign the applet?

The less hoops the better. Philosophically speaking, if you can launch an applet indirectly using these libraries without signing the applet, why not allow developers to do this directly?

I believe this was discussed in the wishlist thread, but wasn't really answered.

Thanks,
M. Warble
www.galileo-riaf.com
www.javariadev.org

"Making the simple complicated is commonplace; making the complicated simple, awesomely simple, that's creativity." - Charles Mingus

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
linuxhippy
Offline
Joined: 2004-01-07

> The less hoops the better. Philosophically speaking,
> if you can launch an applet indirectly using these
> libraries without signing the applet, why not allow
> developers to do this directly?
Because it would allow the applet to break out of security sandbox. Howto guarantee that the version of JOGL you distribute is not hacked and so on.
Its just one click and your self-signed certificate will be stored without asking the user every time.

- Clemens

marvinpwarble
Offline
Joined: 2008-07-26

I'm ignorant in the area of JNLP and JNI. With that said, what prevents a hacked version from being used when using the JNLP launcher?

I realize that JOGL relies on JNI, but is there anything in JOGL itself that poses a security risk? It seems there should be some slimmed down version of JNI that can be used with libraries that don't pose a security risk.

The problem with security certificates is that non-saavy web types may be scared off by them. In other words they may be hesitant to accept a security certificate not knowing what it really is. To a non-saavy web type (i.e. my mother), it's just another popup trying to trick her into installing spyware.

M. Warble

demonduck
Offline
Joined: 2008-03-14

I think the idea of "The Sandbox" is not so useful anymore given the universe
of freeware and shareware and who knows how much other software that is
freely and widely available on the net. People download that stuff daily without
a second thought and anyone of those could have zombie robots of doom for
your computer and hard drive.

But the poor little applet -- well that's a Homeland Security Issue! Man the battlements! All those Nigerian
and Ukrainian hackers are going to come storming through
your applet.

What happens if I sign a malevolent applet? If I'm
careful, I could have the applet behave in a benign
fashion to the users eyes while I use the background to
spew porn email.

Just because an applet is signed doesn't mean it's not
going to be malicious.

And JNLP -- what a waste of time and effort that is. I have never clicked on a link that
downloaded a jnlp file.

But the Java Dev Team is in love with the idea because they don't have any better ideas.