This discussion is archived
3 Replies Latest reply: Oct 24, 2012 10:56 AM by DrClap RSS

JWS security solutions

970271 Newbie
Currently Being Moderated
Is there an FAQ for this forum, or perhaps a general Java Web Start faq somewhere else?

I'm a long time Java SE developer who is moving a desktop application to run from the web. I've made the code load using JNLP and have the servlets running on the backend, but when I got to the point of adding security (logging in on the server then using a .jsp to generate a .jnlp with the jsessionid for the client load) I got stuck hard and suspect I'm on a dead end.

So I'm specifically looking for suggestions as to where to go for Java Web Start security solutions.
  • 1. Re: JWS security solutions
    DrClap Expert
    Currently Being Moderated
    user7539056 wrote:
    when I got to the point of adding security (logging in on the server then using a .jsp to generate a .jnlp with the jsessionid for the client load)
    That sounds like a strange way to implement security to me. As a user of a Web Start application I wouldn't really expect that I would have to go to the web site and log in every time I wanted to use the application. I would expect to download it and then be able to use it without the browser from then on.

    And as a producer of Web Start applications it seems to me that your idea is very likely to run afoul of processes which like to cache things. I know that was one of the issues that confounded me the most.
  • 2. Re: JWS security solutions
    970271 Newbie
    Currently Being Moderated
    The point of the JWS is to introduce them to the product and to try and induce them to license the full installable version, so I think the design is the right one. If your use case became the more common (or I fot more energy) I could toss in code to handle the web login for the cases when I start without a jsessionid.
  • 3. Re: JWS security solutions
    DrClap Expert
    Currently Being Moderated
    Perhaps an applet would be a better approach for the introductory version, then? You could pass the jsessionid as an applet parameter in the HTML page containing the applet... although in this case the applet shares the session with the browser so you don't really need that. And you can use JNLP features in applets. (Or so I hear... haven't really looked into that.)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points