Table of Contents
Java Web Start
Java Web Start is a technology that lets you deploy a desktop Java application directly from a web page.It is an implementation of the Java Network Launching Protocol (JNLP) specification.
Java Web Start Characteristics
- It provides a protected sandbox for running untrusted applications, similar to applet sandbox in a web browser.
- It provides security, safety, and automatic updates when you roll out new versions.
- JWS included as part of the JRE
- It introduces few APIs mainly for dealing with sandbox
- It can get started without writing any new code
- Just need a JNLP descriptor file
- It will even give your program an icon on the desktop.
- In short, Java Web Start gives you the power of a desktop app with the ease of deployment ,users expect from a web app.
Working of JWS
- Uses a special file called JNLP descriptor (XML document describing the application needs)
- The file lists the .jars that make up your program, starting class with main method, security settings, a splash screen and an icon
- Put the JNLP file on your web server and make a link to it
- Clicking on the link, the browser downloads the JNLP file and starts the JWS application launcher
- JWS downloads the .jars and resources (like images), installs an icon on the desktop and starts your program
- Next time the program is run, JWS checks for any updates.
JNLP Descriptor File
<?xml version=”1.0″ encoding=”UTF-8″?>
<jnlp codebase=”http://myconfig.com/downloads/” href=”myconfig.jnlp”>
<information>
<title>My Config</title>
</information>
<resources>
<jar href=”myconfig.jar”/>
</resources>
<application-desc main-class=”myconfig.MyConfig”/>
</jnlp>
Deploying a JWS application
- Upload your JNLP, .jars and other files to your website
- Upload files as specified in the codebase attribute of JNLP
- MIME type: Some web servers don’t understand how to serve JNLP files.
- To serve any file with .jnlp extension, you have to tell the web server to serve as application/x-java-jnlp-file.
- For example, in Apache, add a line to httpd.conf as
- AddType application/x-java-jnlp-file .jnlp
- Adding a description, icon and a splash screen
- To add a description, the title element can be specified in the information section.
- To add an icon, the icon element can be specified in the information section.
- To make a splash screen appear while the program is launching, a second icon element can be provided with the kind attribute set to a value “splash”.
<information>
<title>My Config</title>
<icon href=“icon.png”/>
<icon href=“splash.png” kind=“splash”/>
</information>
Updating and removing the application
Updating the Java Web Start application
- To update the Java Web Start application, the code has to be recompiled and the new .jars has to be uploaded to the web server.
- Next time when one of the user starts the program, JWS will check for the new .jars.
- If the web server’s .jars file timestamps are newer than the .jars on disk, JWS will download the new .jars, add them to cache and start the program.
- Java Web Start provides a way to send out incremental updates where only the changes to a .jar are downloaded instead of the entire .jar.
Removing the Java Web Start application
- The Java Web Start application can be removed by viewing the Java Cache Viewer, which lists down all the Java Web Start cached appplications, and then removing the application.
- The Java Cache Viewer can be displayed by one of the following ways
- By running javaws –viewer on the command line
- By invoking the Java Control Panel in Windows and then clicking on “View…” under the “Temporary Internet Files” section of the “General” tab.
Java Web Start Sandbox
- Java has always had good support for writing secure applications, being designed with security in mind from beginning.
- Still there is a possibility that a malicious programmer can write a program to purposely delete files or steal personal information.
- To tackle this issue, JWS provides something known as sandbox.
- Sandbox is a restricted environment that JWS applications run inside by default.
- Using the security manager and some custom classloaders, it prevents the program from accessing any inappropriate resources or damaging the host.
- This is similar to the applet security model.
- The JWS sandbox model also provides some more extensions than what can be done with plain applets, like access local files, use the clipboard and print.
Java Web Start – Options
1. Working within the sandbox restrictions
- The sandbox lets you open a network connection back to the server from which the application was downloaded
- You can load and save all data on the server and since there is no data on the client, the data can’t become corrupted due to issues on client side.
2. Using the JWS Service APIs
- The sandbox allows the program to have limited access to unsafe resources as long as it under the control of the users.
- Using the Service APIs in the javax.jnlp package, you can ask the user to approve possible unsafe actions like opening of a file.
- The sandbox will open a file dialog window asking the user to select a file. The file will be passed to the application through a safe API.
3. Going outside of the sandbox
- In case the application really needs unsafe access, then it can be shipped as a signed and trusted application.
- The components of the program are digitally signed and then placed on the website.
- When the user download the program, the user can accept the certificate and continue or if the user says no, the installation will be aborted.
JWS – Using Service APIs
- For the program to work inside of the sandbox but still access local resources, Service APIs can be used, which are available to access files, clipboard, print etc.
- When you request an unsafe feature using a Service API, sandbox shows user a dialog box asking permission. If user agrees, access is provided, else access is denied.
import javax.jnlp.*;
…
public class ServiceOpenFile extends ActionListener {
public void actionPerformed (ActionEvent evt) {
try {
FileOpenService open = (FileOpenService) ServiceManager.lookup(“javax.jnlp.FileOpenService”);
FileContents fc = open.openFileDialog(null, null);
….
}
catch (Exception ex) { }
}
}
JWS – Using Signed Code for Trusted Access
- For the program to get full access to user’s computer, it must be signed.
- Steps to make the program signed (self-signed example)
1. Generate the keystore with a self-signed certificate using the keytool program keytool –genkey –keystore mykeystore –alias mykey
The above command will generate a new key called mykey and place it in a keystore file called mykeystore.
2. Sign the .jars using the jarsigner program.
jarsigner –keystore mykeystore myconfig.jar mykey
The above command will open the keystore, mykeystore, retrieve the key, mykey, and use the key to sign myconfig.jar which can be uploaded to web server.
3. Request full security permissions by changing the JNLP file as follows:
<?xml version=“1.0” encoding=“UTF-8”?>
<jnlp codebase=“http://myconfig.com/downloads/” href=“myconfig.jnlp”>
….
<security>
<all-permissions/>
</security>
</jnlp>
Using Pack 200 for faster downloads
- To speed up downloads, Java 1.5 introduced a new form of compression, Pack 200
- It can compress some .jars by a factor of 5, in addition to typical 2x gzip comp.
- Pack 200 only works well on Java bytecode, so if .jar has lot of things that aren’t class files (like images), there will not be much compression.
- Compressing of .jars using Pack 200 can be done as follows:
- pack200 myconfig.jar.pack.gz myconfig.jar
- The above command compresses myconfig.jar into myconfig.jar.pack.gz without removing original .jar file.
- Once packed, both packed and unpacked files should be uploaded to web server.
Note: To sign a packed jar, you will need to pack, unpack and then sign the .jar before repacking it. This preserves the order of bytes for the signature to work.
Setting up Web Server to support Pack 200
- To support all kinds of JWS clients, new and old (which may not understand Pack 200), Pack 200 has a special negotiation protocol using HTTP headers to download the right .jar
- Following is the procedure to setup for Tomcat.
1. From the sample/jnlp/servlet/ directory of J2SE 1.6 JDK, copy jnlp-servlet.jar to the WEB-INF/lib directory of the servlet context that is used to serve up the application .jar files.
2. Modify the web.xml to include the following:
<web-app>
<servlet>
<servlet-name> JnlpDowloadServlet</servlet-name>
<servlet-class> jnlp.sample.servlet.JnlpDownloadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name> JnlpDowloadServlet</servlet-name>
<url-pattern>*.jar</url-pattern>
</servlet-mapping>
</web-app>
JNLP Descriptor File – Shortcuts and Related Content
<jnlp codebase=“http://myconfig.com/downloads/” href=“myconfig.jnlp”>
<information>
<title>My Config</title>
<shortcut>
<desktop/>
<menu submenu=“My Software”>
</shortcut>
<related-content href=“readme.html”>
<title>Readme Doc</title>
</related-content>
</information>
– The <desktop> element inside of <shortcut> asks Java Web Start to put an icon on the desktop if the user allows it.
– The <menu submenu=“My Software”> element puts a shortcut with the icon and title of the application in the “My Software” menu.
– The <related-content> element in JNLP file puts a link to the file “readme.html” in the menu with the title “Readme Doc”.
JNLP Descriptor File – File Assocations
– You can request that your application be registered to support certain file types.
– When the user launches a file of the type you set, your program will be launched.
– You must specify the association using both an extension and a MIME type.
<jnlp codebase=http://myconfig.com/downloads/” href=“myconfig.jnlp”>
<information>
<title>My Config</title>
<association extensions=“config” mime-type=“x-application/config”/>
– The association element in JNLP above would register the application as a handler for all .config files and all files with a MIME type of x-application/config.
– To know the details of various other JNLP descriptor elements, refer to http://java.sun.com/javase/6/docs/technotes/guides/javaws/developersguide/syntax.html
