This discussion is archived
12 Replies Latest reply: Apr 10, 2011 3:58 PM by EJP RSS

How to sign a auto generated JNLP file....

843802 Newbie
Currently Being Moderated
Because of the fact that our web start request, auto generates the appropriate JNLP file based on client information we have stored in a repository on the backend, we keep getting that annoying certificate popup dialog on the front end which alerts us to the fact the one or more components of our webstart application is not signed. I know that under section 5.4.1 in the JNLP spec it outlines a way to sign a JNLP file by placing a copy of it in the main jar file, which of course, is signed, but this doesn't seem to work with a JNLP file that is generated on the fly. Can someone outline a way to make this happen so the popup doesn't show up on the client machine? Possibly by some programmatic means after the JNLP file creation, but before the JNLP file is sent back to the java web start client? Any references, that I have found, that even are remotely close to my issue, revolve around JNLP files that have already been created, but not auto generated. Every other resource of the web application (ie, jars,etc.) are already signed.


Thanks,
Amado
  • 1. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    The popup should be only triggered by unsigned jars, jnlp can either be signed or not.

    Bye.
  • 2. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    This is not the case, as the popup specifically says that it's the JNLP file that is not signed, not any of the jar files.


    Thanks again,
    Amado
  • 3. Re: How to sign a auto generated JNLP file....
    793415 Pro
    Currently Being Moderated
    odama94 wrote:
    ..I know that under section 5.4.1 in the JNLP spec it outlines a way to sign a JNLP file by placing a copy of it in the main jar file, ...
    BTW - why are you doing that?
  • 4. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    If you are asking why I tried to do what was outlined in section 5.4.1, it was to see if it would solve my issue, of getting the certificate popup when I downloaded my web start application to not appear. As I had mentioned in my initial post, the reason the certificate popup shows is because the main JNLP file, which is auto generated on the back end, is not signed. Section 5.4.1 detailed a way to sign a JNLP file.


    Has anyone had experience with autogenerated JNLP files, and signing them? Can someone give me a reasonable way to force the certificate popup not to appear?


    Thanks,
    Amado
  • 5. Re: How to sign a auto generated JNLP file....
    793415 Pro
    Currently Being Moderated
    odama94 wrote:
    If you are asking why I tried to do what was outlined in section 5.4.1, it was to see if it would solve my issue, of getting the certificate popup when I downloaded my web start application to not appear.
    My bad. I thought you meant that you were including the JNLP in the Jar before seeing the 'certificate popup'.
    .. As I had mentioned in my initial post, the reason the certificate popup ..
    What is the exact text of that pop-up?
  • 6. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    Hello Andrew:

    Thanks for help out.

    The Popup states...

    "The application's digital signature cannot be verified. Do you want to run the application?"

    Then if you hit the "More Information" link on the lower right corner, you get another popup which shows four bullet points...

    1) The aplpication will be run without security restrictions normally provided by Java

    2) Although the application has a digital signature, the application's associated file (JNLP) does not have one. A digital signature ensures that a file is from the vendor and that it has not been altered.

    The other 2 bullet points mention that the certificate we are using along with a statement saying that the certificate is trusted.


    I have the Java console showing, and I notice the following three lines, as it's trying to validate the signature for the resource in question...

    security: Empty trusted set for [http://localhost:8080/ws//downloads/jreRuntimeInstallerFiles/runtime-installer.jarjnlp]
    security: Entry [http://localhost:8080/ws//downloads/jreRuntimeInstallerFiles/runtime-installer.jar] is not prevalidated. Revert to full validation of this JAR.
    security: Validating cached jar url=http://localhost:8080/ws//downloads/jreRuntimeInstallerFiles/runtime-installer.jar ffile=C:\Documents and Settings\agonzalez\Application Data\Sun\Java\Deployment\cache\6.0\6\5b147b86-2ac0801f com.sun.deploy.cache.CachedJarFile@1b383e9
    security: Istrusted: null false

    I'm not exactly sure why the resource in the first line above has the following extension (*.jarjnlp), since there is nothing in my application that resembles this. There is a runtime-installer.jnlp, which depends on a jar resource called runtime-installer.jar.


    Thanks again,
    Amado
  • 7. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    odama94 wrote:
    [..] which alerts us to the fact the one or more components of our webstart application is not signed
    odama94 wrote:[..] popup specifically says that it's the JNLP file that is not signed
    odama94 wrote:[..] the reason the certificate popup shows is because the main JNLP file, which is auto generated on the back end, is not signed
    odama94 wrote:[..] "The application's digital signature cannot be verified. Do you want to run the application?"
    If the last one is the real message, you'd better buy a good dictionary and/or a book about certificates and security.
    There's just no trust chain to a CA, anyone can home-make a certificate telling he's Microsoft, that doesn't make it true.

    Bye.

    PS: don't bother insulting me for my straightness, I won't bother answering.
  • 8. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    If the last one is the real message, you'd better buy a good dictionary and/or a book about certificates and security.
    There's just no trust chain to a CA, anyone can home-make a certificate telling he's Microsoft, that doesn't make it true.

    PS: don't bother insulting me for my straightness, I won't bother answering.
    Well I'm going to insult not your straightness, but your knowledge and reading abilities.
    First of all both your answers in this thread are wrong.
    The popup should be only triggered by unsigned jars, jnlp can either be signed or not.
    WRONG. Everything can be signed and validated, on Java 6u10+ if the JNLP (and uses properties?) is not signed this will popup.
    and by poping up I mean display on the first time webstart see that certificate. Its going to be ok after if the user "always trust".

    In that case the "The application's digital signature cannot be verified. Do you want to run the application?" does not mean that he is using a self signed certificate.
    Il clearly says in the detail that the certificate is trusted and the msg is shown only because the JNLP was not signed.

    For the OP:

    Depending on what you have in your JNLP, this could be not possible to do.
    Why are you generating your jnlp and not using a static one ?
    If your JNLP is always the same, you would be a candidate for signing it and placing it in your jar.

    See http://forums.sun.com/thread.jspa?threadID=5356707&start=0&tstart=0 for the problematic of signing JNLP files and SUN's half baked implementation of that feature...

    Edited:
    I would add that one of the 2 problems could be corrected if SUN (hmm Oracle) would revise the big
    message displayed in the security dialog to not scare the user when only the JNLP is not signed.

    Edited by: martinm1000 on Apr 15, 2010 5:55 PM

    Edited by: martinm1000 on Apr 15, 2010 6:01 PM
  • 9. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    My apologies, maybe OP edited his post while I was answering, or I just didn't scroll, but I had just seen the first lines.
    To ask for forgiveness I'll point out that ant tasks are available to pack and sign a jar and they can be included in any code.
    How does you identify the user to customize your jnlp? Hope you're not using one of those horrible solutions without jnlp href. If so (you do have href and jnlp is downloaded by jws on every start, not just by the browser on first start), you can go like this:
    The servlet generating the jnlp should create a session to store all infos necessary to re-create the jnlp (or the whole jnlp)
    Servlet serving jars requests (wrap main jar if you have no such thing in your current environment), will just need to retrieve those infos and use ant tasks to build up the jar on-the-fly.

    It's a bit CPU-expensive, but should work.

    Good luck.
  • 10. Re: How to sign a auto generated JNLP file....
    843802 Newbie
    Currently Being Moderated
    To the OP: it is mentioned briefly by one of the posters above, but I would like to emphasize that declaration of insecure system properties in your JNLP triggers the warning about the JNLP itself not being secure. If you have a way around using system properties, that should avoid the warning about the JNLP. However, afaik, there is no way around the lesser scary version of the warning dialog though - Java Web Start will at least once ask the user to accept the certificate and approve an application it is about to run.

    See also: http://forums.sun.com/thread.jspa?messageID=10924534#10924534

    Edited by: chaves on Jun 2, 2010 1:41 PM
  • 11. Re: How to sign a auto generated JNLP file....
    833259 Newbie
    Currently Being Moderated
    Hello, I am having the same problem, what are the unsecure system properties? I tried to remove all the vm properties and still get this security warning. We generate the jnlp file on the fly as well and hence have this unique problem.

    Thanks
  • 12. Re: How to sign a auto generated JNLP file....
    EJP Guru
    Currently Being Moderated
    How can it be unique when the OP in this thread which you are reviving had it too?

    Locking.