wood burning stoves 2.0*
The moose likes JNLP and Web Start and the fly likes Web Start and SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Java » JNLP and Web Start
Bookmark "Web Start and SSL" Watch "Web Start and SSL" New topic
Author

Web Start and SSL

Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
I have an AP designed as a Java Web Start program,
and I want it to connect to a web service via SSL.
I know how to do that in a normal AP. Just add a property like :
System.setProperty("javax.net.ssl.trustStore","my.keystore");
But since a JAWS program is downloaded from server, and don't have a my.keystore on local file system. I can't set a property that way. Is anyone know how to deal with this?
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
"my.keystore" is just a file, isn't it?
Then you have to pack it inside a jar, for example in your application jar at the lowest level or in an appropriate directory.
the file is loaded from the jar using the class loader, and copied to some local place ("user.dir" of a JavaWebStart app equals "user.home"!)

cheers
Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
Thanks a lot~~
Your solution happens to be the same with my though. I am just trying to make it work.
By the way, I still need to sign my jar file to write the file to local system, right?
As you know, are there solutions other than signed jar?
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
that could only be a solution where you load the keystore from the jar directly into the java runtime. i don't know if you can transform the stream you get from the classloader into something the jvm can handle.
another way would be to make an object wrap the keystore, serialize it, put it into the jar and deserialize it in the javawebstart app. you have than the object in the jvm that wraps the keystore.
but these are merely some ideas...
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
wait, I forgot something. I think there are possibilities to write to the disc in - hm, either untrusted environment or without explicit permission in the jnlp, I think the latter. the user will then be asked explicitly for this action to give permission. you have to use the JNLP (??) API for this. I remember this from the JavaWebStart Developer's Guide. Do you have it?
cheers
Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
Yes, I can write my.keystore into disc through JNLP API, but without a signed jar, a confirm dialog will pop up to ask user for authorization.
It's inconvenient. With a signed jar, there still some extra works need to be done just to write a file into local system. I did think of using my.keystore as an object. But, the file is assigned by setting a system property named 'javax.net.ssl.trustStore'. I have no idea how the program deal with that, and whether is there any alternative to use an object instead.
Maybe I have to dig into the source code to find the answer, but .. no source code...
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
you couldn't use the command line argument to specify the file?
-Djavax.net.ssl.keyStore=[path to my.keystore on the web server?]
cheers
Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
Well.. it doesn't work...
I think I still have to sign my jar, because I need to connect to some server other than original one. Therefore, I think it's the best way to write the file to local.
But I have a question, can I sign jars that is not mine? Like xml packages from apache.. or jsse from Sun(which is already signed by Sun.). Is it legal? If not, how can I use those packages?
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
I just signed all the jars I need in my programs. I don't sign them with a certificate though so the user gets a dialog telling him that he should better not start the program. I am currently only deploying in the intranet so this doesn't bother me for the moment.
I don't think it is illegal to sign them. though you might add in the certificate where they come from?!
It might be possible to declare certain jars inside the JNLP file as extensions. perhaps then, you don't need to sign them. but I don't know about that.
cheers
Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
Finally, I can make it work now, with signed jar.
I will try the extension feature in JNLP later.
But I found something weird. The program can connect to another server via https, but if it runs in JAWS, the connection was rejected by proxy, unless I don't use a proxy setting.
This could be a problem if I want my program to run over internet.
Have you any idea about this?
Thank for your help~~
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
uh.
my programs connect to a database in the intranet and one program uses a browser internally to display internet sites (using http). the browser is a third party component. I had some problems with it cause I used the application component for the "normal" app. when I deployed it through webstart I had to switch to the embedded component that is available from the same software company to make it work. But I am not sure if this is really a matter of security in this case. I got some nullpointerexception with the application component.
shortly: I can connect through http with a WebStart app. have you just tried https or http, as well? maybe security is to high with https.
no, I just tried to connect to https://www.paypal.com/ with the browser that runs through JWS, and it works. Unfortunately, I can't tell you anything about the implementation of the browser.
In the admin tool of JWS the preferences is set to: use browser, direct connection to the internet. the version is JavaWebStart 1.0.1, java 1.4.1beta. Linux OS. the application is behind a firewall. permissian is set to all-permissions, all jar files are signed (though I might change that to using the extension tag for third party products - I have to read the spec for JNLP more closely).
cheers
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
still reading the spec...
here is something about the BasicService (JNLP API). I am getting confused with browsers cause sometimes they are meaning the browser where the jws app is started from and sometimes not?!

The "showDocument" method [in BasicService] displays the given URL in a Web browser. This may be the default browser on the platform, or it may be chosen by the JNLP Client some other way. [...]

There are some more interesting methods, like "isOffline" and "isWebBrowserSupported". As Applets have to connect this way, as well, I think this is the reason why I have to use the embedded component for my browser (the embedded component is meant for use in applets).
I hope I didn't tell you any old news.
good luck
Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
I am reading the spec., too.
Now, my program runs fine both in jre or jaws except the proxy issue in jaws.
Maybe I should setup an environment to test the proxy issue. The network environment here is highly restricted, so, I can't get a clear idea of what's wrong to my program.

By the way, not only my programs, but also the environment where JAWS runs on need some packages to use HTTPS feature. Which way do you think that I can install those additional packages to local host? by extension installer or specified in j2se?
Have you any experience to this?
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
i'm sorry. I have not tried running jws from a https site, yet. (that's what you mean, isn't it?)
can't you add the additional packages to your classpath? I am not sure why you would want to handle these packages different than any others. jws is pure java - it will use the classpath set for your environment?! (seems as I didn't get your meaning)
cheers
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
what concerns jre/lib/ext:
that has never worked for me. moreover I have several jvms installed and I prefer to keep additional jars in a separate place, independent from the jvms.
Vincent Shiu
Greenhorn

Joined: Jul 16, 2002
Posts: 8
In fact, I did try a couple ways to test https.
If I put those jsse packages with JAWS application, I will get some exceptions saying some classes are missing(those in jsse packages).
Becuase they are used by JAWS, not my program, and it seems that JAWS won't take those jsse jars downloaded with my program to enable HTTPS protocol.
So, I tried to set those packages in classpath.. and it never worked. The only place that can make it work is lib/ext of jre that specified in JAWS.
I think JAWS still need those packages to use HTTPS protocol. But why the setting in classpath doesn't work, that's my question, too.
And now, things are getting weird. The JAWS program only works on my PC and not any one else(If I use HTTPs feature).
On other PCs, I just get the following exceptions generated by SOAP :
[SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: java.net.SocketException: SSL implementation not available; targetException=java.lang.IllegalArgumentException: Error opening socket: java.net.SocketException: SSL implementation not available]
at org.apache.soap.transport.http.SOAPHTTPConnection.send(SOAPHTTPConnection.java:354)
at org.apache.soap.rpc.Call.invoke(Call.java:248)
which saying that the SSL implementation not available, but I have copy jsse jars into lib/ext just like I did yesterday( and it worked on another PC, but not today!!)
Maybe I really miss something.. But .. I just can't find the problem..
I am still keep trying in servral PCs, hope I can figure it out quickly.. the project dead line is coming...
[ August 07, 2002: Message edited by: Vincent Shiu ]
Chantal Ackermann
Ranch Hand

Joined: Sep 28, 2000
Posts: 508
you are not the only one having problems:
http://search.java.sun.com/search/java/index.jsp?qt=%2B+%2Bjavawebstart+https&col=javabugs&category=&state=&query=javawebstart+https
see the sun java web start forum for more help (if you haven't done that yet ?!)
http://forum.java.sun.com/forum.jsp?forum=38
good luck
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Web Start and SSL