Java Web Start 1.0.1 Signed Application Demo

M. Gallant 07/11/2001

Java Web Start is a Java-based web applications deployment infrastructure which implements the JNLP (Java Network Launching Protocol) API. It provides reasonably transparent, secure, persistent and version-control Java applications deployment capability. This note discusses a simple signed-code *application* example and shows how to successfully deploy to clients potentially running a wide range of Java runtime environment versions, including "beta" versions. It also shows how to configure and test using the standalone Tomcat application/servlet container.

The link below provides access to a RSA-signed Java application, packaged as a single digitally-signed Jar archive propsframe.jar. The application simply lists all Java System Properties in a TextArea within a simple frame. Since accessing many of these Properties is a privileged operation, the JAR archive must be digitally signed, and full privileges must be specified in the .jnlp context configuration file with:

<security> <all-permissions/> </security>
[Note that at the current release level, the JNLP API does not implement the fine-grained security policy-file capability as does the JavaPlugin, but this feature is expected to be forthcoming in future versions of the API.

For the java application and Java Web Start to properly recognize end users with J2RE V1.4 b, the jnlp configuration file should be specified as follows:

<resources> <j2se version="1.4 1.4.0-beta_refresh 1.4.0-beta 1.3+" href=""/> <jar href="lib/PropsFrame.jar"/> </resources>
[This "feature" is the subject of a current JDC Bug report Bug ID: 4469701.]
This assures the code will be "J2RE 1.4 fcs ready", but will also work with earlier 1.4 beta versions, and also J2RE 1.3.x versions. Assuming the client has Java Web Start installed and that this application were deployed from a sever with correct application/x-java-jnlp-file mime-type mapping for .jnlp file extension, clicking the .jnlp launch link below should show the download progression and the signed-certificate verification window and prompt the first time the application is accessed. Subsequest accesses will use the local cached version of the application, provided the application has not been updated on the server since the previous access. If the JAR archive has been modified in any way, so that the digital signature breaks, the application contained therein will not be allowed to execute:

When installed, the application should start automatically. The Java Web Start Application Manager window shows the signed added application like this:

The archive was generated and signed with Netscape Signtool1.3/Win95. The code-signing certificate is issued by an Enterprise CA. The ou=NorlockPKI,o=Nortel root CA cert must be imported into the Java Web Start CA certificate list using the JWS Program Manager interface.


Download/Install the signed PropsFrame application
(for this web page, the server was NOT configured to return the required mime-type; your browser will simply display the contents of the .jnlp file)

Details of Server Testing

The Java Web Start signed application above was configured and tested on Win2000 using Tomcat 4.0b5 as a standard webapp as shown below:

The $TOMCAT_HOME/webapps/propsframe/lib directory contains the signed JAR archive PropsFrame.jar as specified in the propsframe.jnlp file.
Since this simple application does not use servlets, a Web Application Deployment Descriptor web.xml is NOT required in the application directory.

The $TOMCAT_HOME/conf directory contains the web.xml default Web Application Deployment Descriptor file. Any new mime-type mappings required for web applications using the Tomcat standalone server should be added here. [Of course, for production deployment, the method for configuring mime-type mapping will be dependent on the actual web-server used].
In particular, for Java Web Start/JNLP the server needs to have the following mime-type entry added:

<mime-mapping> <extension> jnlp </extension> <mime-type> application/x-java-jnlp-file </mime-type> </mime-mapping>

Using the Tomcat 4.0b5 server and configured as above, the Java Web Start application was successfully tested with the URL:

Further Information:
Java Web Start to the rescue (JavaWorld July 2001)