Posted by cayhorstmann
on July 12, 2006 at 7:09 PM PDT
I used Java Web Start as a "poor man's installer" for a
Java client app that allows students to check their homework assignments.
The app needs "all permissions", so I simply signed it with a worthless
self-signed certificate. The Web Start security dialog is complete
gibberish to 99% of end users, which works in my favor. Something is wrong
here. Should the JNLP API be less convoluted, so that it is easier to live
in the sandbox. Should it be less of a hassle for an individual to get a
I am working on a Java client application to accompany a textbook. It
allows students to check their programming assignments before they turn
them in. After a few days of hacking, I was ready to show it to my editor.
No big deal, I thought. I'll just zip it up and tell him to unzip and
run it. Open a command shell and run
java -classpath labrat.jar:$ANT_HOME/lib/ant.jar
Ok, maybe not. I can't very well have my editor install
href="http://ant-contrib.sourceforge.net/">Ant-Contrib, set an
environment variable, and open a command shell.
No big deal, I thought. I'll just JAR everything up and make a
self-running JAR. He can double-click on it. But you can't put JAR files
inside a JAR file, and I wasn't about to un-JAR the Ant libraries. That
just seemed too dirty. I tried
href="http://one-jar.sourceforge.net/">One-JAR, and it almost worked,
but the embedded Ant couldn't load task definitions. I should have shown
my manly manhood by hacking a path through the festering mess of class
loaders, but I didn't.
What do people do to install Java apps on Windows? Windows users want
to click to install the app, and click again to launch it. I suppose one
needs an EXE wrapper or an installer, such as
href="http://www.izforge.com/izpack/">IzPack, or both. This seemed to
be a great deal of trouble.
I was reluctant to use Java Web Start. One always reads horror stories
one. But I ended up using it anyway. It neatly solved my JAR problem
and my click problem. You list JAR files in the JNLP descriptor, and you
add a hint to install shortcuts that the user can click. Not bad at all.
As an added bonus, I can keep tweaking my prototype and know that the
users will always run the latest version.
But there is one incredibly sucky thing about Web Start--the security
dialog. If your app can run in the sandbox, such as the demonstration
version of Violet , this is not
an issue. (The Web Start sandbox is much better than the applet
sandbox--maybe a topic for another blog.)
But this app can't run in the sandbox. It compiles and runs arbitrary
programs. I must digitally sign the app. I don't want to go through the
trouble of getting a code certificate. It's a huge hassle for an
unincorporated individual. No problem, I use a self-signed certificate. My
users now see this warning:
This is completely bogus!!!
How many users out there have a clue what a digital certificate is, or
what it means that the certificate is self-signed?
To make it worse, this
article shows how to use a Thawte e-mail certificate to make the
dialog look like this:
Well, if he is a Thawte Freemail Member, this guy must be safe...NOT.
But is John Q. Surfer going to know that?
This is a mess.
Why show an end user something they can't reasonably comprehend? Why
let them run something unsafe, or even worse, add a certificate into their
store, with a single click?
How did we get into this mess?
API wasn't so convoluted, it would be easier for developers to write
apps that are useful in the Web Start sandbox. And if it was easier for a
reputable developer to get a certificate, then there would be no reason to
allow completely worthless self-signed certificates.
Is anyone working on improving the JNLP API? (No, I don't want to start
a JSR.) Is it possible to issue certificates to individual programmers at
a reasonable cost, while still having a reasonable level of security?