Java Web Start and Security

Question

It was just pointed out to me that the Java Web Start applications from my blog, for example my Key Bindings entry, no longer function because of the follow security error:

Upon doing some investigation I have determined that security has been improved in JDK7 and that the default setting found on the Security Tab of the Java Control Panel found on the Windows Control Panel is set to High which prevents the app from running. If you do change this setting to Medium, then you have the choice to accept the app and it will run. I'm guessing most people will not want to do this, so it looks like I will need to sign my jar file.

Problem is I really don't understand the whole signing process.

Currently I start by creating a .jar file with a command like:

jar cfev KeyBindings.jar KeyBindings KeyBindings*.class

I then create the .jnlp file as follows:

<?xml version="1.0" encoding="utf-8"?>
<!-- JNLP File for KeyBindings -->

<jnlp spec="1.0+"
    codebase="http://www.camick.com/java/webstart/"
    href="KeyBindings.jnlp">
    <information>
        <title>KeyBindings Application</title>
        <vendor>Tips4Java</vendor>
        <homepage href="http://tips4java.wordpress.com/"/>
        <description>KeyBindings Application</description>
        <description kind="short">Display the Key Bindings of Swing components</description>
        <offline-allowed/>
    </information>
    <resources>
        <j2se version="1.6+"/>
        <jar href="KeyBindings.jar"/>
    </resources>
    <application-desc main-class="KeyBindings"/>
</jnlp>

The .jar and .jnlp files are uploaded to the server and the Web Start app is started using the following HTML:

<a href="http://www.camick.com/java/webstart/KeyBindings.jnlp">...</a> - Using Java Web Start (JRE 6 required)

Can someone show me the additional steps I will need to follow in order to create a trusted application (or signed app, whatever the proper terminology is).

I currently don't use any IDE for my Java Web Start apps. I do have Eclipse installed but have never used it. Would it be better to try to use Eclipse to generate the signed .jar file?

Update:

The process is more involved and expensive than I thought. I don't want to pay a Certificate Authority to sign my .jar files. Also, I currently use a free web hosting site that doesn't support SSL so I wouldn't be able to use the signed .jar files anyways as I don't want to find a new hosting site.

Since I only do my blog for fun, I don't want to incur the extra cost of using signed .jars so I guess I will have to find a different way to demonstrate the code.

Thanks the help.

Answer 1

Your applet will have to be signed by a well known Certificate Authority (CA).

You could use any of them (Digicert, Thawte, Verisign, etc...)

The CAs will have instructions on how you go about getting your jar file signed.

Here is the documentation from Digicert:

Java Code Signing Certificate Guide - Digitally Sign Code for Java Applets with Integrated Identity Assurance

Answer 2

Using the approach outlined here, I continue to deploy open-source Swing applications from a trusted site using a self signed certificate. Checking the SHA1 fingerprint ensures that I receive the JAR I signed, without relaxing security. This Subway simulation is a complete example.