JARs versus Web-Start

[Stefan Ram]

When one follows a web link to an executable JAR on a
webserver, it will be transferred via HTTP and then executed
(for example, under Windows, after Java was installed). The
operating system might ask the user for a confirmation and
then will run the JAR.

Many users do not know much about what a JAR is, so they
might not be able to appreciate the possibly enhanced
security of Applets or of Web-Start (is there any?)

So, in order to enable someone to start a Java-Application
via the Web, what might be some reasons to prefer one of
those means above the other (a link to an executable JAR
versus Web-Start)?

 

[John B. Matthews]

When one follows a web link to an executable JAR on a
webserver, it will be transferred via HTTP and then executed
(for example, under Windows, after Java was installed). The
operating system might ask the user for a confirmation and
then will run the JAR.

Many users do not know much about what a JAR is, so they
might not be able to appreciate the possibly enhanced
security of Applets or of Web-Start (is there any?)

So, in order to enable someone to start a Java-Application
via the Web, what might be some reasons to prefer one of
those means above the other (a link to an executable JAR
versus Web-Start)?

IIUC, a JAR runs with no security restrictions, while a Java Web Start
program is launched with whatever permissions are defined in the
controlling JNLP file. As concrete examples, this game's JNLP requests
no special permissions; by default, it runs in a restricted, "sandbox"
environment:

<http://sites.google.com/site/drjohnbmatthews/buttons>

In contrast, this game requests access to the local file system in
order to save preferences:

<http://robotchase.sourceforge.net/>

When run, the first engenders no security dialog; the seconds does.
Both JAR's are signed to mitigate the risk of tampering.

More details here:

<http://java.sun.com/docs/books/tutorial/deployment/webstart/security.html>

 

[Andrew Thompson]

  When one follows a web link to an executable JAR on a
  webserver, it will be transferred via HTTP and then executed
  (for example, under Windows, after Java was installed). ..

On Ubuntu Linux the user would be offered many options,
including 'save to disk' and 'open in archive manager'.

..The
  operating system might ask the user for a confirmation and
  then will run the JAR.

  Many users do not know much about what a JAR is, so they
  might not be able to appreciate the possibly enhanced
  security of Applets or of Web-Start (is there any?)

Already covered.

  So, in order to enable someone to start a Java-Application
  via the Web, what might be some reasons to prefer one of
  those means above the other (a link to an executable JAR
  versus Web-Start)?

JWS provides..
- Easy ways to add extra APIs and entire extensions
(JOGL, Java3D etc.) to the application's run-time
classpath, including natives delivered specific for
the platform.
- Automatic update.
- Splash screens.
- Desk-top integration.
- APIs only available to JWS apps. like the
PersistenceService, the SingleInstanceService & the
ExtensionInsallerService that make some things very
much easier. E.G.s at <http://pscode.org/jws/api.html>
Note that Robot Chase app. mentioned by John could be
deployed sand-boxed, by using the PersistenceService.
- Fine-grained JRE versioning. For details see
<http://pscode.org/jws/version.html>
- ...

 

[Roedy Green]

IIUC, a JAR runs with no security restrictions, while a Java Web Start
program is launched with whatever permissions are defined in the
controlling JNLP file. As concrete examples, this game's JNLP requests
no special permissions; by default, it runs in a restricted, "sandbox"
environment:

Further the browser/os may need to be configured to associate jars
with java.exe, otherwise it will just be saved to disk.

You can run an Applet in a jar with <APPLET or that other abomination.
--
Roedy Green Canadian Mind Products
http://mindprod.com

Beauty is our business.
~ Edsger Wybe Dijkstra (born: 1930-05-11 died: 2002-08-06 at age: 72)

Referring to computer science.