WebStart API development - bypass security

Discussion in 'Java' started by Andrew Thompson, Sep 30, 2006.

  1. Have any of you done any amount of development using
    the webstart API?
    <http://java.sun.com/products/javawebstart/1.0.1/javadoc/index.html>
    (The FileService, ClipboardService, PersistenceService..)

    I have found the development cycle to be a PITA, and am
    looking for shortcuts.

    The basic problem is that in order to access any of the
    services, you cannot simply 'run your classes' in Java from
    the command line - even if you add the JWS jar to the classpath,
    the ServiceManager is not properly initialised, and
    ServiceManager.getServiceNames()* returns a 0 length array.

    *
    <http://java.sun.com/products/javawebstart/1.0.1/javadoc/javax/jnlp/ServiceManager.html#getServiceNames()>

    When launching via webstart itself, the application/applet
    needs to be jar'd, and requires a JNLP file.

    Fortunately, you can then test it from the command
    line and local filesystem (avoiding the entire hassle of
    uploading it to a server configured to send the correct
    mime-type) by using the -codebase option on launch..
    <http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/javaws.html#options>

    But.. I find that even using the sand-boxed (no need to sign the code)
    methods in one part of an application, I often need other parts of the
    application to have 'full access' (libraries and native libs etc.).

    To add code signing to that development test cycle is a killer,
    is there is any way to tell the javaws launcher (either via options,
    system configuration, or voodoo) to 'ignore all restrictions'
    and simply run test code as 'trusted'?

    Or is this a case of
    "(slap the OP) Use an advanced IDE with ANT and this is all easy"?

    Andrew T.
    Andrew Thompson, Sep 30, 2006
    #1
    1. Advertising

  2. Andrew Thompson

    tiewknvc9 Guest

    for free code signing certificate check out http://www.cacert.org/

    I believe for testing, you can sign your own applications, which
    results in a request for full system access when the code is first run.
    The screen that appears says something like, "we dont trust this
    person, so neither should you, but if you are foolish then click ok to
    allow them to give you a virus and destroy your your computer"

    done with jarsigner of course.

    Signing your code locally (by yourself, the untrusted source), will
    allow you to accept the hideous certificate mentioned above. But I
    dont think that there is a way to test it without signing your code in
    some way. Ant would be the way to go in my mind, if you felt up to it.
    But you could always just leave a command prompt open with all your
    build calls.

    good luck


    Andrew Thompson wrote:
    > Have any of you done any amount of development using
    > the webstart API?
    > <http://java.sun.com/products/javawebstart/1.0.1/javadoc/index.html>
    > (The FileService, ClipboardService, PersistenceService..)
    >
    > I have found the development cycle to be a PITA, and am
    > looking for shortcuts.
    >
    > The basic problem is that in order to access any of the
    > services, you cannot simply 'run your classes' in Java from
    > the command line - even if you add the JWS jar to the classpath,
    > the ServiceManager is not properly initialised, and
    > ServiceManager.getServiceNames()* returns a 0 length array.
    >
    > *
    > <http://java.sun.com/products/javawebstart/1.0.1/javadoc/javax/jnlp/ServiceManager.html#getServiceNames()>
    >
    > When launching via webstart itself, the application/applet
    > needs to be jar'd, and requires a JNLP file.
    >
    > Fortunately, you can then test it from the command
    > line and local filesystem (avoiding the entire hassle of
    > uploading it to a server configured to send the correct
    > mime-type) by using the -codebase option on launch..
    > <http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/javaws.html#options>
    >
    > But.. I find that even using the sand-boxed (no need to sign the code)
    > methods in one part of an application, I often need other parts of the
    > application to have 'full access' (libraries and native libs etc.).
    >
    > To add code signing to that development test cycle is a killer,
    > is there is any way to tell the javaws launcher (either via options,
    > system configuration, or voodoo) to 'ignore all restrictions'
    > and simply run test code as 'trusted'?
    >
    > Or is this a case of
    > "(slap the OP) Use an advanced IDE with ANT and this is all easy"?
    >
    > Andrew T.
    tiewknvc9, Sep 30, 2006
    #2
    1. Advertising

  3. tiewknvc9 wrote:
    > for free code signing certificate check out http://www.cacert.org/
    >
    > I believe for testing, you can sign your own applications, which
    > results in a request for full system access when the code is first run.


    A self-signed certificate - that is what I am currently using
    (for both testing and later deployment), and exaclty I want
    to avoid *having* to do during *development*.

    Andrew T.
    Andrew Thompson, Sep 30, 2006
    #3
  4. Andrew Thompson

    tiewknvc9 Guest

    Andrew Thompson wrote:
    > tiewknvc9 wrote:
    > > for free code signing certificate check out http://www.cacert.org/
    > >
    > > I believe for testing, you can sign your own applications, which
    > > results in a request for full system access when the code is first run.

    >
    > A self-signed certificate - that is what I am currently using
    > (for both testing and later deployment), and exaclty I want
    > to avoid *having* to do during *development*.
    >
    > Andrew T.


    I dont think that sun would allow that. Since a developer could
    potentially release something to the public that was not signed,
    starting with the command line code allowing full access to the
    machine..

    Java is a pain with security. But its probably a good move on their
    end.
    tiewknvc9, Sep 30, 2006
    #4
  5. Andrew Thompson

    Daniel Dyer Guest

    On Sat, 30 Sep 2006 04:45:30 +0100, Andrew Thompson
    <> wrote:
    > I have found the development cycle to be a PITA, and am
    > looking for shortcuts.

    ....
    > Or is this a case of
    > "(slap the OP) Use an advanced IDE with ANT and this is all easy"?


    You don't necessarily need to use an IDE, but Ant would probably make
    things easier (there's a built-in task for signing jars:
    http://ant.apache.org/manual/CoreTasks/signjar.html). How do you do the
    build currently?

    I'm a big advocate of always having an automated, single-step build
    process. It doesn't really matter whether that's achieved with Ant,
    Maven, Make or some home-grown scripts. Once you have to execute more
    than one command to do a build there's a chance of messing things up.

    Dan.

    --
    Daniel Dyer
    http://www.uncommons.org
    Daniel Dyer, Sep 30, 2006
    #5
  6. Daniel Dyer wrote:
    > On Sat, 30 Sep 2006 04:45:30 +0100, Andrew Thompson
    > <> wrote:
    > > I have found the development cycle to be a PITA, and am
    > > looking for shortcuts.

    > ...
    > > Or is this a case of
    > > "(slap the OP) Use an advanced IDE with ANT and this is all easy"?

    >
    > You don't necessarily need to use an IDE, but Ant would probably make
    > things easier (there's a built-in task for signing jars:
    > http://ant.apache.org/manual/CoreTasks/signjar.html). How do you do the
    > build currently?


    <whispers>command line based .bat files.</whispers>

    > I'm a big advocate of always having an automated, single-step build
    > process. It doesn't really matter whether that's achieved with Ant,
    > Maven, Make or some home-grown scripts. Once you have to execute more
    > than one command to do a build there's a chance of messing things up.


    Yeah, thanks. I think I just needed to hear it.

    I wish I could figure how to run Ant from the command line,
    I'll need to hit the docs. (I have two "powerful IDE's" installed,
    both of which can run Ant scripts, but one is utterly broken -
    never starts up, the other broke when settings were overwritten
    during a 1.2 install the other night.. long story..)

    Andrew T.
    Andrew Thompson, Sep 30, 2006
    #6
  7. Run Ant from Command Line ..was Re: WebStart API development - bypass security

    Andrew Thompson wrote:
    > Daniel Dyer wrote:
    > > On Sat, 30 Sep 2006 04:45:30 +0100, Andrew Thompson

    ....
    > > > "(slap the OP) Use an advanced IDE with ANT and this is all easy"?

    > >
    > > You don't necessarily need to use an IDE, but Ant would probably make
    > > things easier (there's a built-in task for signing jars:

    ....
    > I wish I could figure how to run Ant from the command line,
    > I'll need to hit the docs.


    (a short time later...)
    C:\Documents and Settings\Administrator>ant
    Buildfile: build.xml does not exist!
    Build failed

    ....Woo-Hoo! :)

    That's progress, from..

    C:\Documents and Settings\Administrator>ant
    'ant' is not recognized as an internal or external command,
    operable program or batch file.

    Andrew T.
    Andrew Thompson, Sep 30, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Thompson

    WebStart API Examples?

    Andrew Thompson, Oct 7, 2006, in forum: Java
    Replies:
    2
    Views:
    386
    Thomas Weidenfeller
    Oct 9, 2006
  2. Larry Smith
    Replies:
    8
    Views:
    363
    Larry Smith
    Jan 7, 2009
  3. Larry Smith
    Replies:
    7
    Views:
    830
    Larry Smith
    Jan 7, 2009
  4. Replies:
    21
    Views:
    726
    Kenny McCormack
    Sep 20, 2012
  5. 1 2
    Replies:
    15
    Views:
    521
    Kenny McCormack
    Sep 20, 2012
Loading...

Share This Page