javaws system property to relax or remove security?

Question

Having upgraded to Java 7 (Oracle/Sun JDK, not OpenJDK), if I try to test my app under Web Start with javaws, it tells me "Application Blocked by Security Settings". I can use the Java control panel to reduce security from high to medium to get it to work (it asks me if I want to launch an unsigned app), but that also reduces the security level for my web browser. Is there any system property that'll let me do javaws -J-Dkey=value to get that one instance of javaws to relax or ignore security with regards to what will launch (but otherwise keep security the same)?

EDIT: If anyone could point me to where the Java 7 source code for javaws is, I'd be happy to read through the code to find the answer.

EDIT 2: When I set Java security to medium through the Java control panel, launching my app with javaws results in it asking me if I want to run an unsigned app; this is what I want to duplicate. The control panel sets security to medium via adding the system property deployment.security.level=MEDIUM to the file ~/.java/deployment/deployment.properties. I've tried two ways to use this:

1) Pass -J-Ddeployment.security.level=MEDIUM to javaws. This results in my app fully launching without it asking me if I want to run an unsigned app.

2) Pass -J-Ddeployment.system.config=~/.java/deployment/FOO.properties, where FOO.properties is a copy of the normal deployment.properties file, with deployment.security.level=MEDIUM added manually. Again, this results in my app fully launching without it asking me if I want to run an unsigned app.

EDIT 3: Note that I'm using Oracle/Sun JDK, not OpenJDK.

Answer 1

• Have you tried creating your own custom SecurityManager?
• Have you tried using java.security.AllPermission (just to test if this is a fix for you) ?

Related specs:

• http://docs.oracle.com/javase/7/docs/api/java/lang/SecurityManager.html
• http://download.java.net/jdk8/docs/technotes/guides/security/permissions.html
• http://download.java.net/jdk8/docs/technotes/guides/security/spec/security-spec.doc.html

This may be very relevant to you:

• http://www.javaworld.com/javatips/jw-javatip20.html

EDIT: Re: javaws, check out the invocation of javaws itself. I did cat /usr/bin/javaws and here we go:

#!/bin/bash

JAVA=/usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java
LAUNCHER_BOOTCLASSPATH="-Xbootclasspath/a:/usr/share/icedtea-web/netx.jar"
LAUNCHER_FLAGS=-Xms8m
CLASSNAME=net.sourceforge.jnlp.runtime.Boot
BINARY_LOCATION=/usr/bin/javaws
PROGRAM_NAME=javaws
CP=/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar

JAVA_ARGS=( )
ARGS=( )
COMMAND=()

i=0
j=0

while [ "$#" -gt "0" ]; do
  case "$1" in
    -J*)
      JAVA_ARGS[$i]="${1##-J}"
      i=$((i+1))
      ;;
    *)
      ARGS[$j]="$1"
      j=$((j+1))
      ;;
  esac
  shift
done

k=0
COMMAND[k]="${JAVA}"
k=$((k+1))
COMMAND[k]="${LAUNCHER_BOOTCLASSPATH}"
k=$((k+1))
COMMAND[k]="${LAUNCHER_FLAGS}"
k=$((k+1))
i=0
while [ "$i" -lt "${#JAVA_ARGS[@]}" ]; do
  COMMAND[k]="${JAVA_ARGS[$i]}"
  i=$((i+1))
  k=$((k+1))
done
COMMAND[k]="-classpath"
k=$((k+1))
COMMAND[k]="${CP}"
k=$((k+1))
COMMAND[k]="-Dicedtea-web.bin.name=${PROGRAM_NAME}"
k=$((k+1))
COMMAND[k]="-Dicedtea-web.bin.location=${BINARY_LOCATION}"
k=$((k+1))
COMMAND[k]="-Djava.security.manager"
k=$((k+1))
COMMAND[k]="-Djava.security.policy=/etc/icedtea-web/javaws.policy"
k=$((k+1))
COMMAND[k]="${CLASSNAME}"
k=$((k+1))
j=0
while [ "$j" -lt "${#ARGS[@]}" ]; do
  COMMAND[k]="${ARGS[$j]}"
  j=$((j+1))
  k=$((k+1))
done

"${COMMAND[@]}"

exit $?

The most important is that a javaws.policy is loaded.