i am pretty sure your java application can at least load a text file from an url and present it, regardless if it is in a signed jar or not.
instantiating a class from an unsigned byte stream might pose problematic due to java's into depth security concept, but i expect that it might be possible using a modified classloader. the easiest workaround is probably turning the whole OJ.zip distribution into one big jar file and sign that. i actually perceived webstart (similar to other java webbrowser plugins) as a dead horse for a while now. how good is the jnlp execution files support (from filesystem/browser) exactly on our platforms? what is the rationale to have a desktop application like OJ having wrapped up as a webstart application? ..ede On 15.05.2012 16:18, Rahkonen Jukka wrote: > Hi, > > About Java Web Start, it has strict limits what it can do (from > http://docs.oracle.com/javase/6/docs/technotes/guides/javaws/developersguide/development.html#intro): > > - An application must be delivered as a set of JAR files. > - All application resources, such as files and images must be stored in JAR > files; and they must be referenced using the getResource mechanism in the > Java(TM) Platform Standard Edition (see below). > - An application that needs unrestricted access to the system will need to be > delivered in a set of signed JAR files. All entries in each JAR file must be > signed. > > That means that readme.txt must be packaged into some jar or then OpenJUMP > must have some self programmed system for getting it. > > Compulsory signing makes it tricky to deliver plugins. All that one jnlp file > is downloading must be signed with the same certificate. Therefore that who > delivers the core OJ should take the plugin jars too and sign them with the > same computer. But fortunately there seems to be a way to make this a little > bit easier: JNLP file can contain references to other JNLP files. Thus the > main JNLP may instruct to download the core through core.jnlp from one site > and plugin through plugin.jnlp from another site and that way it is possible > that the plugin is signed with another certificate. > > Hmm, I remember that the certificate must be found from Java keystore. With > self-signed jars it is possible to make the living very painful for your > users, especially with many plugins and many self-signed jars... Downloadin > and installing server sertificates and perhaps also CA certificates into the > keystore is not very simple. User must be sure to update the keystore of the > same jre that is used by the application, and those added certificates > disappear with Java update... I have spent some time in telephone giving > advise on this. > > I did not like at all the play with updating resource files, packing them to > jars, signing and putting in the right place for JWS launch. However, when > it went OK it was just me who suffered and users did not even notice that > there were an update. But if there was by accident one jar unsigned or > signed with a wrong certificate then the application did not work for anybody > after the update. > > -Jukka Rahkonen- > > >> -----Alkuperäinen viesti----- >> Lähettäjä: Edgar Soldin [mailto:ed...@soldin.de] >> Lähetetty: 15. toukokuuta 2012 13:14 >> Vastaanottaja: OpenJump develop and use >> Aihe: Re: [JPP-Devel] Aboutdialog >> >> On 15.05.2012 00:47, Stefan Steiniger wrote: >>> Hi Ede, Michael, Matthias >>> >>> following also Michaels comment in the other email: >>> My suggestion would be a proper (english) error message (= >> what you call >>> a note). No stack-trace or so. Just a simple one-liner >> (plus weblink?) >>> (using try/catch/...?) >> >> could be done. it should be translated then as well of course. >> >>> Is that possible? Though - I see you did already an RC3. So >> at least we >>> could change it for 1.5.3. >> >> absolutely. i don't see a need to hurry with this, as it does >> not affect desktop users currently and webstart users see it >> for a good reason. >> >>> Btw: didn't thought about the licence note. And it seems to >> me even more >>> important if it is webstart. Or is licence anywhere else >> noted in webstart? >> >> probably not. but again it's not only the one OJ license but >> also about the other ones not to mention all the contributors >> which definitely earned their place in the readme file. >> >> in conclusion: as stated Matthias should find a way to ship >> at least the readme.txt, better yet all license files as >> well, maybe we can even only provide a note in readme that >> these license files are available in the distribution zip file. >> >> ..ede >> >> -------------------------------------------------------------- >> ---------------- >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. >> Discussions >> will include endpoint security, mobile security and the >> latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Jump-pilot-devel mailing list >> Jump-pilot-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel >> > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Jump-pilot-devel mailing list > Jump-pilot-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Jump-pilot-devel mailing list Jump-pilot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel