Discussions
Categories
- 382.3K All Categories
- 2.1K Data
- 209 Big Data Appliance
- 1.9K Data Science
- 448K Databases
- 221K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 25 Multilingual Engine
- 520 MySQL Community Space
- 467 NoSQL Database
- 7.8K Oracle Database Express Edition (XE)
- 2.9K ORDS, SODA & JSON in the Database
- 492 SQLcl
- 3.9K SQL Developer Data Modeler
- 186.2K SQL & PL/SQL
- 21K SQL Developer
- 293.3K Development
- 7 Developer Projects
- 128 Programming Languages
- 290K Development Tools
- 95 DevOps
- 3K QA/Testing
- 645.5K Java
- 24 Java Learning Subscription
- 36.9K Database Connectivity
- 150 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.9K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 16 Java Essentials
- 144 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 198 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 267 LiveLabs
- 36 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.8K Other Languages
- 2.3K Chinese
- 166 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 230 Portuguese
Java Web Start applications and Gatekeeper
As more of our customers upgrade to Mac OS X 10.8 or later or purchase new machines we've had to deal with helping more of them work around Gatekeeper for our Java Web Start deployed applications. Many discussions found on the web show the confusion that surrounds this technology and how it interacts with Web Start apps. Most "solutions" suggest various security changes like allowing apps downloaded from anywhere. The one we most often employ is to control-click the JNLP file and choose Open. Then the dialog has an option to "install" the application anyway.
My take-away from the discussions has been that Gatekeeper is looking for what it considers to be executable code, including JNLP files and Java applets, to be signed via codesign which is stored as an extended HFS attribute and as a result is not transferred over HTTP unless the file is wrapped into some bundle like xip or in a disk image (dmg). Neither of these are a click-and-run experience and move me from the realm of Web Start deployment to just wrapping it up as an Apple app bundle.
Before OS X 10.8 (Mountain Lion) was released, Scott K published on the Talking Java Deployment blog an article titled Java applications and Gatekeeper where he suggested the best possible user experience comes from creating an app that is bundled with Java and signed with an Apple Devloper ID using the codesign tool. (Note this is not the same as the code signing from jarsigner in the JAR/META-INF. The article ends, edited, with a statement that Gatekeeper does not apply to command-line tools like java, javac, javah and so on. It has been my experience that it does seem to apply to javaws or whatever is used on the Mac to launch a Web Start app from a JNLP file. It is as if Apple has said they don't trust the Java security model for downloaded dynamic code and are adding an extra restriction that seems to severely limit the "click-and-run" functionality of Web Start or applets.
Is there anything I can do to get a JNLP file to "just work" for Mac end users like it use to before 10.8 / Gatekeeper?
Is there anything in the works from Oracle to fix this issue?
--
Jacob