Signing a jnlp in order to get rid of the Security Warning

Question

I am developing at a company where a jnlp file is used to start a swing web based java application. It has plenty of jars that are downloaded to the client's jvm cache. When I updated my jvm to its currently latest version (build 1.7.0_45-b18) I started seeing the security warning below when I try to run the jnlp file:

After I saw this error and read this article about signing jnlp files from oracle site( Signing JNLP files) then I added three things to the project:

1. A JNLP-INF folder including an APPLICATION.JNLP file into all my jars except third party ones.
2. Signing all those jars with the digital certificate+keystore bundle of my own company
3. Importing the digital certificate into my trusted Ca certificates of jvm via java control panel.

After I did the changes above and tried to run the jnlp file after deployment of new jars I got the following Security warning message from jvm:

As you can see the Security Warning's severity level is changed to a more welcoming level and now the publisher's name is not unknown.It is the name from the certificate. Even if the warning's level is decreased it is still a warning and I dont want my end users to see this everytime. How can I solve this problem?

1. Should I try to sign all third part jars as well? If so how can I do it with an Ant command? How can I extract a third party jar and add the JNLP-INF folder in it and then repack it as a jar by using Ant?
2. Should I also sign the final myapplication.ear file with a JNLP-INF subfolder in it.This ear file is deployed to jboss server?
3. Should I add some extra lines to my META-INF/MANIFEST files in jars?
4. Should I be expecting oracle to block my application to run on jvm with this level of warning?

My JNLP file is this text:

<?xml version="1.0" encoding="utf-8"?>
    <jnlp spec="1.0+" codebase="http://10.100.10.9/ikarusdelhitest/" href="ikarus.jnlp">
<information>
    <title>Ikarus</title>
    <vendor>My Company name</vendor>
    <homepage href="http://www.mycompanyname.com" />
    <description>My jnlp triggered web based enterprise software</description>
    <icon href="ikarus.ico" />
    <offline-allowed />
</information>
<security>
    <all-permissions />
</security>
<resources>
    <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"
        java-vm-args="-Xnoclassgc -Xincgc -client -XX:DefaultMaxRAM=208M -Xms64M -Xmx256M -XX:PermSize=32M -XX:MaxPermSize=128M -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=50" />
    <jar href="jars/ikarus/ikarusClient.jar" />
    <jar href="jars/ikarus/ikarusDelegators.jar" />
    <jar href="jars/ikarus/clientRules.jar" />
    <jar href="jars/ikarus/ruleImps.jar" />
    <jar href="jars/ikarus/ikarusUtil.jar" />
    <jar href="jars/ikarus/ikarusResources.jar" />
    <jar href="jars/ikarus/domain.jar" />
    <jar href="jars/ikarus/domain_repository.jar" />
    <jar href="jars/ikarus/domain_service.jar" />
    <jar href="jars/ikarus/app_repository.jar" />
    <jar href="jars/ikarus/app_service.jar" />
    <jar href="jars/ikarus/infrastructure.jar" />
    <jar href="jars/ikarus/integration_domain.jar" />
    <jar href="jars/jboss_ejb_auth/ejb3-persistence.jar" />
    <jar href="jars/jboss_ejb_auth/jboss-ejb3x.jar" />
    <jar href="jars/jboss_ejb_auth/jbossall-client.jar" />
    <jar href="jars/jasper/commons-beanutils-1.8.0.jar" />
    <jar href="jars/jasper/commons-collections-3.2.1.jar" />
    <jar href="jars/jasper/commons-digester-1.7.jar" />
    <jar href="jars/jasper/commons-logging-1.1.jar" />
    <jar href="jars/jasper/iText-2.1.0.jar" />
    <jar href="jars/jasper/jasperreports-3.6.0.jar" />
    <jar href="jars/jasper/poi-3.2-FINAL-20081019.jar" />
    <property name="jnlp.localization" value="Delhi"/>
</resources>
<application-desc main-class="com.celebi.ikarus.main.Ikarus" />

Thanks for any help/comment/brain storming.

Answer 1

This JNLP seems to need signing because of java-vm-args but realize that most of the memory related options can be specified in a way so that the JNLP does not need to be signed. I recommend you try that way instead.

Edit

JNLP was part of the Java Plug-In which was removed from browsers and deprecated by Oracle around Java 9. Use other methods to launch apps.

Answer 2

I believe you are getting this warning because you are requesting the JNLP to run with full permissions, and the user needs to know about that.

If you application doesn't need to access critical resources (for instance write to the hard drive), you can run your application in sandbox mode by replacing the following:

<security>
    <all-permissions />
</security>

by

<security>
    <sandbox />
</security>

as documented in http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html

You can also remove it as sandbox is the default value.