I am developing at a company where a jnlp file is used to start a swing web based java application. It has plenty of jars that are downloaded to the client's jvm cache. When I updated my jvm to its currently latest version (build 1.7.0_45-b18) I started seeing the security warning below when I try to run the jnlp file:
After I saw this error and read this article about signing jnlp files from oracle site( Signing JNLP files) then I added three things to the project:
After I did the changes above and tried to run the jnlp file after deployment of new jars I got the following Security warning message from jvm:
As you can see the Security Warning's severity level is changed to a more welcoming level and now the publisher's name is not unknown.It is the name from the certificate. Even if the warning's level is decreased it is still a warning and I dont want my end users to see this everytime. How can I solve this problem?
My JNLP file is this text:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://10.100.10.9/ikarusdelhitest/" href="ikarus.jnlp">
<information>
<title>Ikarus</title>
<vendor>My Company name</vendor>
<homepage href="http://www.mycompanyname.com" />
<description>My jnlp triggered web based enterprise software</description>
<icon href="ikarus.ico" />
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"
java-vm-args="-Xnoclassgc -Xincgc -client -XX:DefaultMaxRAM=208M -Xms64M -Xmx256M -XX:PermSize=32M -XX:MaxPermSize=128M -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=50" />
<jar href="jars/ikarus/ikarusClient.jar" />
<jar href="jars/ikarus/ikarusDelegators.jar" />
<jar href="jars/ikarus/clientRules.jar" />
<jar href="jars/ikarus/ruleImps.jar" />
<jar href="jars/ikarus/ikarusUtil.jar" />
<jar href="jars/ikarus/ikarusResources.jar" />
<jar href="jars/ikarus/domain.jar" />
<jar href="jars/ikarus/domain_repository.jar" />
<jar href="jars/ikarus/domain_service.jar" />
<jar href="jars/ikarus/app_repository.jar" />
<jar href="jars/ikarus/app_service.jar" />
<jar href="jars/ikarus/infrastructure.jar" />
<jar href="jars/ikarus/integration_domain.jar" />
<jar href="jars/jboss_ejb_auth/ejb3-persistence.jar" />
<jar href="jars/jboss_ejb_auth/jboss-ejb3x.jar" />
<jar href="jars/jboss_ejb_auth/jbossall-client.jar" />
<jar href="jars/jasper/commons-beanutils-1.8.0.jar" />
<jar href="jars/jasper/commons-collections-3.2.1.jar" />
<jar href="jars/jasper/commons-digester-1.7.jar" />
<jar href="jars/jasper/commons-logging-1.1.jar" />
<jar href="jars/jasper/iText-2.1.0.jar" />
<jar href="jars/jasper/jasperreports-3.6.0.jar" />
<jar href="jars/jasper/poi-3.2-FINAL-20081019.jar" />
<property name="jnlp.localization" value="Delhi"/>
</resources>
<application-desc main-class="com.celebi.ikarus.main.Ikarus" />
Thanks for any help/comment/brain storming.
Click the “Advanced” tab at the top of the Java Control Panel window, click the plus sign to the left of “JNLP File/MIME Association,” select “Always Allow” or “Prompt” and click “OK.” JNLP files won't work if you select “Never Allow.”
Java Network Launch Protocol (JNLP) Support.
Open Group Policy panel. User Configuration -> Administrative Templates -> Microsoft Edge. Find list of file types that should be automatically opened on download -> Enable and add JNLP value to options. Apply this policy setting.
This JNLP seems to need signing because of java-vm-args
but realize that most of the memory related options can be specified in a way so that the JNLP does not need to be signed. I recommend you try that way instead.
Edit
JNLP was part of the Java Plug-In which was removed from browsers and deprecated by Oracle around Java 9. Use other methods to launch apps.
I believe you are getting this warning because you are requesting the JNLP to run with full permissions, and the user needs to know about that.
If you application doesn't need to access critical resources (for instance write to the hard drive), you can run your application in sandbox mode by replacing the following:
<security>
<all-permissions />
</security>
by
<security>
<sandbox />
</security>
as documented in http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html
You can also remove it as sandbox is the default value.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With