Java Web Start and Signing Jars

In response to a feature request from L. M. Orchard I’ve just spent a couple of hours packaging up the FOAF-a-Matic Mark 2 as a Java Web Start application.
Actually creating the requisite JNLP file was straight-forward; the specification is clear and the format simple. I very quickly had the application launching from a web page link. What took a bit longer is working out how to sign the jar files so that I could request permission to access the file system, open local ports and remote connections. Actually with the current version of JNLP you have to create all permissions, there’s no granularity in what you can request or grant access to. Suprising really as you’d expect this to be relatively easy to implement giving that the underling security manager and permissions model is all in place.
Anyway, the JNLP and jarsigner documentation just refer you to a certificate authority to get a certificate to sign your jar files. This is frustrating as I’m not about to fork out for a certificate when I’m giving the code away for free. A quick bit of googling dug up this excellent document from Richard Dallaway, “Java Web Start and Code Signing“. Dallaway had met exactly this problem and documented how to sign up for a free certificate from Thawte.
Completing the requisite application forms, and awaiting for email confirmations ate up the rest of the time required to get FM Mark 2 running under Web Start. Happily Ant already has tasks for signing jars so it was quite straight-forward to add a new target to my build file to create the Web Start distribution.
The lesson to be learned here is to take the time to write up any non-trivial problems you resolve, because you’re going to save someone (and probaby many people) from floundering around. Doing so with bring good karma. Guaranteed
The Web Start enabled FM Mark 2, plus a couple of bug fixes, will be beta-2.1 arriving at a browser near you shortly.

4 thoughts on “Java Web Start and Signing Jars

  1. eu says:

    Hey! Webstart will perfectly accept the self-signed certificate generated by keytool. The only difference is that user will receive a warning that certificate is not signed by trusted authority. That’s it!

  2. Leigh Dodds says:

    I’d missed that. Serves me right for not reading through all of the keytool documentation thoroughly. My eyes have a tendency to glaze over at some of this stuff.
    I’ll give that a try alongside the Thawte certificate.
    I suppose it’s something of a trade-off. On the one hand you get more control over the certificate (i.e. you can stick your name in there; with Thawte you have to join their web of trust for that), on the other hand it’s not “trusted”.

  3. jeff says:

    I am finding mixed statements on whether or not FOAF is dead. It also seems there are alot of broken apps and links in the foaf explorers. Sorry for intruding on your blog but you seem like your active in FOAF development and a good person to ask. I ask because I implemented FOAF definitions for each of the users of my website and created a browser that browses FOAF files seemlessly from my user network however I am wondering if the FOAF spec is going to die off or not anytime soon.
    Thanks
    Jeff

  4. Leigh Dodds says:

    Hi Jeff,
    > I am finding mixed statements on whether or not FOAF is dead.
    I’d be interested in pointers to those statements as FOAF is certainly not dead. There is a very active community on the #foaf IRC channel, and frequent traffic on the rdfweb-dev mailing list where FOAF issues are discussed.
    I’m currently working on several different applications that use FOAF in some form or other, and there is ongoing development to applications like foafnaut, foafbot, etc.
    There are also a number of FOAF presentations and talks at the upcoming etcon. FOAF is emerging, not disappearing!
    Interest in FOAF as a means of sharing data between social networking sites, and in the blogging community seems to be increasing not decreasing. At least from where I sit!
    > It also seems there are alot of broken apps and
    > links in the foaf explorers. Sorry for intruding > on your blog but you seem like your active in
    > FOAF development and a good person to ask.
    Again, do you have pointers? If you have details of which apps are broken then posting them to the rdfweb-dev mailing list will ensure that they get looked at by the right people. (See foaf-project.org for details of how to sign up).
    Broken links are probably inevitable: FOAF is based around the concept of a web of RDF documents. And just like the ordinary web these documents might 404. It’s up to the individual to maintain these.
    > I ask because I implemented FOAF definitions for
    > each of the users of my website and created a
    > browser that browses FOAF files seemlessly from
    > my user network however I am wondering if the
    > FOAF spec is going to die off or not anytime soon.
    I, and I’m sure others in the FOAF community, would be interested in seeing this.
    The FOAF spec is still being developed, and isn’t going to become stale.
    Cheers,
    L.

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 30 other followers

%d bloggers like this: