Forum Stats

  • 3,770,467 Users
  • 2,253,119 Discussions


Java Web Start applications and Gatekeeper

jlanawalt Member Posts: 41
edited Mar 23, 2015 2:33PM in Java Web Start & JNLP

As more of our customers upgrade to Mac OS X 10.8 or later or purchase new machines we've had to deal with helping more of them work around Gatekeeper for our Java Web Start deployed applications. Many discussions found on the web show the confusion that surrounds this technology and how it interacts with Web Start apps. Most "solutions" suggest various security changes like allowing apps downloaded from anywhere. The one we most often employ is to control-click the JNLP file and choose Open. Then the dialog has an option to "install" the application anyway.

My take-away from the discussions has been that Gatekeeper is looking for what it considers to be executable code, including JNLP files and Java applets, to be signed via codesign which is stored as an extended HFS attribute and as a result is not transferred over HTTP unless the file is wrapped into some bundle like xip or in a disk image (dmg). Neither of these are a click-and-run experience and move me from the realm of Web Start deployment to just wrapping it up as an Apple app bundle.

Before OS X 10.8 (Mountain Lion) was released, Scott K published on the Talking Java Deployment blog an article titled Java applications and Gatekeeper where he suggested the best possible user experience comes from creating an app that is bundled with Java and signed with an Apple Devloper ID using the codesign tool. (Note this is not the same as the code signing from jarsigner in the JAR/META-INF. The article ends, edited, with a statement that Gatekeeper does not apply to command-line tools like java, javac, javah and so on. It has been my experience that it does seem to apply to javaws or whatever is used on the Mac to launch a Web Start app from a JNLP file. It is as if Apple has said they don't trust the Java security model for downloaded dynamic code and are adding an extra restriction that seems to severely limit the "click-and-run" functionality of Web Start or applets.

Is there anything I can do to get a JNLP file to "just work" for Mac end users like it use to before 10.8 / Gatekeeper?

Is there anything in the works from Oracle to fix this issue?



This discussion has been closed.