Signed WebStart applications

[Alex Schonlinner]

Dear group readers,

The documentation for Java WebStart writes that if you sign all
your *.jar-files then you have the same access to the computers
resources as a standard java application running locally, at least
if you put the following line into the jnlp file:
<security>
<all-permissions/>
</security>

Ok, but this does not work! Although all jars have been signed
(using a test certificate, and the user clicks OK on the warning
message of the certificate) and this line is present, the
application has only the rights which have been defined in the
javaws.policy-file, i.e. it has exactly the same rights as an
unsigned WebStart application.

The WebStart AppManager tells us that all jars have been signed,
so it's not due to a forgotten jar which has not been signed.

Is there anything which needs to be done additionally to access
a computers resources?


Best regards,
Alex

 

[Andrew Thompson]

Dear group readers,

The documentation for Java WebStart writes that if you sign all
your *.jar-files then you have the same access to the computers
resources as a standard java application running locally, at least
if you put the following line into the jnlp file:
<security>
<all-permissions/>
</security>

That about describes the PhySci project,
self-signed, all permissions

Ok, but this does not work!

It seems to work fine with PhySci..

I would be interested to hear your
experiences with it. You can get it,
http://www.physci.org/install/download.jsp

The image browser, text editor and
file finder all need file access.
Does it work for you?

 

[Alex Schonlinner]

That about describes the PhySci project,
self-signed, all permissions


It seems to work fine with PhySci..

I would be interested to hear your
experiences with it. You can get it,
http://www.physci.org/install/download.jsp

The image browser, text editor and
file finder all need file access.
Does it work for you?

Well, I found a working file requester in the text editor
and was very astonished that it works despite our javaws.policy
settings.

Did you anything special to make it work? I found out that
signing jars and putting the all-permissions statement into
the JNLP file does not work:
It seems as if all these settings simply allow you to set
the security manager to null. And when we set it to null, all
works ok. But is this the only solution? Seems to be a little
bit crude to completely switch off the security manager...

Best regards,
Alex

 

[Andrew Thompson]

Well, I found a working file requester in the text editor
and was very astonished that it works despite our javaws.policy
settings.

....err.
You did see, the big, friendly..

Did you anything special to make it work?

No. You did, when you clicked 'yes'.

You permitted PhySci unrestricted
access to the filesystem, printing,
networking (notwithstanding firewalls
and such),..

I found out that
signing jars and putting the all-permissions statement into
the JNLP file does not work:

Well, it works if it is done properly,
and the user selects 'yes' at the
appropriate dialog.

It seems as if all these settings simply allow you to set
the security manager to null.

Unfortunately it is 'all or nothing'
with WebStart.

..And when we set it to null, all
works ok. But is this the only solution? Seems to be a little
bit crude to completely switch off the security manager...

You do so, but only on an app by app
basis, you can choose which apps you
install. But if the apps request
access, and you grant it, they have
full, unrestricted access.

(Slight quirk with PhySci. Since it
is six 'apps' each launched from a
single toolbar, they all get full
access with the one WebStart approval)