File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JNLP and Web Start and the fly likes Signing JNLP - Where does JNLP-INF directory go? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JNLP and Web Start
Bookmark "Signing JNLP - Where does JNLP-INF directory go?" Watch "Signing JNLP - Where does JNLP-INF directory go?" New topic

Signing JNLP - Where does JNLP-INF directory go?

L Jacobs

Joined: Oct 03, 2011
Posts: 1
I am pursuing trying to launch a Java Webstart JNLP program without striking fear into the hearts of those that use it.
I have a valid certificate and keystore, and launching the JNLP confirms that the certificate side is all OK.
However, like many I seem to be getting the message "Althought the application has a digital signature, the application's associated file(JNLP) does not have one. A digital signature ensures that a file is from the vendor and that it has not been altered."

Reading the JNLP Spec (JSR-56)
Section 5.4.1 SIGNING OF JNLP FILES states:
A JNLP file can optionally be signed. A JNLP Client must check if a signed version of the JNLP file
exists, and if so, verify that it matches the JNLP file that is used to launch the application. If it does not
match, then the launch must be aborted. If no signed JNLP file exists, then the JNLP file is not signed,
and no check needs to be performed.

A JNLP file is signed by including a copy of it in the signed main JAR file. The copy must match the JNLP file used to launch the application. The signed copy must be named:JNLP- INF/APPLICATION.JNLP. The APPLICATION.JNLPfilename should be generated in upper case, but should be recognized in any case. The signed JNLP file must be compared byte-wise against the JNLP file used to launch the application. If the two byte streams are identical, then the verification succeeds, otherwise it fails. As described above, a JNLP file is not required to be signed in order for an application to be signed. This is similar to the behavior of Applets, where the Applet tags in the HTML pages are not signed, even when granting unrestricted access to the Applet

And I confess much of the paragraph isn't exactly clear to a newbie like me.

So maybe this is extremely basic - but where exactly should the JNLP-INF/APPLICATION.JNLP go ?
I am using eclipse, and I have about 25 jars (ext and lib). Is JNLP-INF some standard folder name and location? My is located in a "build" folder where my ant resides. I have tried copying my jnlp as APPLICATION.JNLP into this directory, but that did not resolve the JNLP not signed message.
I have also created a folder called JNLP-INF where the main class is (and therefore I thought would be signed in the jar) but... no go.
Very frustrating but luckily not a huge deal or priority, I have many more things to learn so JAVA will keep me plenty busy for years to come

JavaWS: Version
JavaJRE: Version 1.6.0_26
Paul Clapham

Joined: Oct 14, 2005
Posts: 19973

To me that says that the jar (which you are going to sign) contains a folder named "JNLP-INF" and inside that folder is your "APPLICATION.JNLP" file. Did you do that?
M Page

Joined: Nov 30, 2012
Posts: 3
I was receiving a stack trace error
Caused by: java.lang.SecurityException: Unable to create temporary file
at Source)
at Source)
at Source)
at org.apache.xmlbeans.impl.common.XBeanDebug.log(
at org.apache.xmlbeans.impl.common.XBeanDebug.logException(
at org.apache.xmlbeans.impl.schema.SchemaTypeSystemImpl.<init>(
... 27 more
which led me to this thread.
I added the folder/jnlp file to my jar and signed it as indicated in the thread.
I still have the problem.

The stack trace starts out as a POIXMLException indicating unable to create a temporary file.

Now I do not get this error when running my application inside of Eclipse or when I run the application jar file directly.

Any help would be appreciated.

And I have checked the POI forums. As far as I can tell all of the external jars I need are up to date.
I believe they must be since the app does work except when launched by a jnlp file.
Martin Vajsar

Joined: Aug 22, 2010
Posts: 3733

Welcome to the Ranch!

I'm just guessing, but I don't see any connection to the original problem in this thread.

The stack trace looks like there's a problem in creating a temporary file somewhere, most probably connected to a log file of some kind (see the org.apache.xmlbeans.impl.common.XBeanDebug.log line in the stack trace). It is possible that running your application via JNLP gives it a different security context than running it as a jar file or from IDE. My advice would be to try to figure out what file/directory is the XBeanDebug class trying to write to and verify its permissions, and perhaps also review security settings of your Java installation (if you're on Windows, it's the Java Control Panel).
M Page

Joined: Nov 30, 2012
Posts: 3
My apologies. The connection to the thread is that I tried including the jnlp in my app and it didn't solve the problem.

The permission problem seems to be in creating an excel 2007 workbook (POI XSSF) in the users My Documents folder.
And your analysis is in line with my companies IT department but I function as a 'maverick' and have to figure these
things out on my own.

I'll check my java install security settings.

It's a most annoying problem since excel 2003 workbooks (POI HSSF) don't have this problem. Most likely OOXML related.

Thanks for your help.

M Page

Joined: Nov 30, 2012
Posts: 3
I was able to find a solution to my problem.

Let me restate my problem.

I have a java application which uses POI XSSF to read and write excel 2007 workbooks to the users 'My Documents' folder.
The application functions as designed when run through eclipse, dos batch file launch or directly (double clicking on the app jar file).
It does not work correctly when launched through jnlp. The final stack trace shows it is a security issue: unable to write temporary file

The jnlp is initiated from my pc. This runs the app jar file which is located on a secured network directory.
or jnlp --> main jar

Note: I have security set to all-permissions in the jnlp.

The solution was to create another java app which, by using dos commands, launches the desired app jar.
So I have jnlp --> intermediate jar --> main jar

I agree. Here's the link:
subject: Signing JNLP - Where does JNLP-INF directory go?
It's not a secret anymore!