Webstart Security is Impossible. Trying to use with glassfhish 4

Question

The end goal is to provide application client downloads using Java webstart from Glassfish 4.

I've been trying to get this working for 3 days, researching every method I can find and no matter what I try, webstart is blocked.

• Exception list. Doesn't work.
• Adding the certificate as a trusted certificate. Doesn't work.
• Sandbox which doesn't need any permissions. Doesn't work.
• Updating Java. Doesn't work.
• I can't seem to find the deployment rule sets option but this sounds like something that needs full windows server integration etc.
• There is no medium option in the Java console security settings as I am using java 8.0.31.
• Simple test app that has nothing but static main void which prints a message to command line. Cannot get it to work...

It is starting to drive me crazy that it is impossible to develop anything using webstart, the only options I can see are purchasing a certificate for local development or totally dropping webstart...

How I added the certifacte to my machine - the certificate is shown in my Java console.

Here is the simple scenario I cannot get working:

package com.cbprogramming;

import javafx.application.Application;
import javafx.stage.Stage;

public class Main extends Application {
    @Override
    public void start(Stage primaryStage) throws Exception {
        System.out.println("Test");
    }


    public static void main(String[] args) {
        launch(args);
    }
}

I then used IntelliJ Idea to create a JavaFX application that packages it including the webstart jar file, JNLP file and html web page including custom manifest fields for permissions: sandbox and codebase.

The JNLP file, I also tried with the security and permissions tags, both all-permissions and sandbox.

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="WebstartTest.jnlp">
  <information>
    <title>Webstart Test</title>
    <vendor>Testing</vendor>
    <description>A Java Webstart testing app</description>
    <offline-allowed/>
  </information>
  <resources>
    <jfx:javafx-runtime version="8.0+" href="http://javadl.sun.com/webapps/download/GetFile/javafx-latest/windows-i586/javafx2.jnlp"/>
  </resources>
  <resources>
    <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/>
    <jar href="WebstartTest.jar" size="1190" download="eager" />
  </resources>
<security>
  <all-permissions/>
</security>
  <applet-desc  width="600" height="400" main-class="com.javafx.main.NoJavaFXFallback"  name="WebstartTest" >
    <param name="requiredFXVersion" value="8.0+"/>
  </applet-desc>
  <jfx:javafx-desc  width="600" height="400" main-class="com.test.Main"  name="WebstartTest" />
  <update check="background"/>
</jnlp>

And the manifest file:

Manifest-Version: 1.0
permissions: sandbox
codebase: file:///d:/test/
JavaFX-Version: 8.0
Class-Path: 
Created-By: JavaFX Packager
Main-Class: com.test.Main

Name: com/test/Main.class
SHA-256-Digest: 8BK5m/ojirCK/QEx8Oe+9z/L6P8JXin0CMDK4R2mkAI=

I have added the jnlp, jar and html files to the exceptions list, I've tried both with file:// and file:///, I've also tried adding the glassfhish URL to the exception list, http and https...

I am developing on a Win 8.1 pro machine using Jdk 8.0.31.

Every forum I have read users are saying any one of these options fix their problem. What am I doing so wrong?!? Is 8.0.31 broken? Or is webstart just not worth using?

Answer 1

Here is what I found incase others find it useful.

It looks like Glassfish 4.1 has a webstart bug when using Java 7 update 25 or later (currently 8.0.31). The workaround is to use an older version of Java.

• I never could get the java console exceptions list to work.
• Adding the certificate as trusted let webstart work from a local file/html file but it still didn't work through glassfish.
• The tags needed to be removed from jnlp files now that they are in the jar manifest file or the application was blocked, these tags are added automaticlly by glassfish and intellij JavaFX packager.
• Another thought is to setup a local certificate authority and add it as trusted through the java console - this way it isn't a self signed certificate.

Also, to get a glassfish application client debugging in IntelliJ:

• Create a batch file: start "name" cmd /c "<installdir>\glassfish\bin\appclient.bat -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -client <dir>\TEMPSClient.jar"
• Create a remote debugging configuration and set it to run the created script using the external tool in the before launch section.

This uses the default ports etc. for remote debugging, and will run the application jar in the glassfish client container before attaching the debugger to it. To get console output, redirect stdout and stderr to a log file and attach the log file to your remote debug configuration.

I first tried using the embedded ACC but couldn't get that working (copy/paste from docs has functions that don't even exist...). It would be great if someone knows of a good tutorial for using the embedded ACC.