I am developing at a company where a jnlp file is used to start a swing web based java application. It has plenty of jars that are downloaded to the client’s jvm cache. When I updated my jvm to its currently latest version (build 1.7.0_45-b18) I started seeing the security warning below when I try to run the jnlp file:
After I saw this error and read this article about signing jnlp files from oracle site( Signing JNLP files) then I added three things to the project:
- A JNLP-INF folder including an APPLICATION.JNLP file into all my jars except third party ones.
- Signing all those jars with the digital certificate+keystore bundle of my own company
- Importing the digital certificate into my trusted Ca certificates of jvm via java control panel.
After I did the changes above and tried to run the jnlp file after deployment of new jars I got the following Security warning message from jvm:
As you can see the Security Warning’s severity level is changed to a more welcoming level and now the publisher’s name is not unknown.It is the name from the certificate. Even if the warning’s level is decreased it is still a warning and I dont want my end users to see this everytime. How can I solve this problem?
- Should I try to sign all third part jars as well? If so how can I do it with an Ant command? How can I extract a third party jar and add the JNLP-INF folder in it and then repack it as a jar by using Ant?
- Should I also sign the final myapplication.ear file with a JNLP-INF subfolder in it.This ear file is deployed to jboss server?
- Should I add some extra lines to my META-INF/MANIFEST files in jars?
- Should I be expecting oracle to block my application to run on jvm with this level of warning?
My JNLP file is this text:
<?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0+" codebase="http://10.100.10.9/ikarusdelhitest/" href="ikarus.jnlp"> <information> <title>Ikarus</title> <vendor>My Company name</vendor> <homepage href="http://www.mycompanyname.com" /> <description>My jnlp triggered web based enterprise software</description> <icon href="ikarus.ico" /> <offline-allowed /> </information> <security> <all-permissions /> </security> <resources> <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se" java-vm-args="-Xnoclassgc -Xincgc -client -XX:DefaultMaxRAM=208M -Xms64M -Xmx256M -XX:PermSize=32M -XX:MaxPermSize=128M -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=50" /> <jar href="jars/ikarus/ikarusClient.jar" /> <jar href="jars/ikarus/ikarusDelegators.jar" /> <jar href="jars/ikarus/clientRules.jar" /> <jar href="jars/ikarus/ruleImps.jar" /> <jar href="jars/ikarus/ikarusUtil.jar" /> <jar href="jars/ikarus/ikarusResources.jar" /> <jar href="jars/ikarus/domain.jar" /> <jar href="jars/ikarus/domain_repository.jar" /> <jar href="jars/ikarus/domain_service.jar" /> <jar href="jars/ikarus/app_repository.jar" /> <jar href="jars/ikarus/app_service.jar" /> <jar href="jars/ikarus/infrastructure.jar" /> <jar href="jars/ikarus/integration_domain.jar" /> <jar href="jars/jboss_ejb_auth/ejb3-persistence.jar" /> <jar href="jars/jboss_ejb_auth/jboss-ejb3x.jar" /> <jar href="jars/jboss_ejb_auth/jbossall-client.jar" /> <jar href="jars/jasper/commons-beanutils-1.8.0.jar" /> <jar href="jars/jasper/commons-collections-3.2.1.jar" /> <jar href="jars/jasper/commons-digester-1.7.jar" /> <jar href="jars/jasper/commons-logging-1.1.jar" /> <jar href="jars/jasper/iText-2.1.0.jar" /> <jar href="jars/jasper/jasperreports-3.6.0.jar" /> <jar href="jars/jasper/poi-3.2-FINAL-20081019.jar" /> <property name="jnlp.localization" value="Delhi"/> </resources> <application-desc main-class="com.celebi.ikarus.main.Ikarus" />
Thanks for any help/comment/brain storming.
This JNLP seems to need signing because of
java-vm-args but realize that most of the memory related options can be specified in a way so that the JNLP does not need to be signed. I recommend you try that way instead.
JNLP was part of the Java Plug-In which was removed from browsers and deprecated by Oracle around Java 9. Use other methods to launch apps.