1 Reply Latest reply on Oct 18, 2011 2:20 PM by 800151

    Deployment location of Jar <resources>.  Best practices?

      Good Morning,

      I have my JWS app working fine. I am now at the deployment stage.

      My question boils down to where is the best place to deploy the jar files that the java web start app requires?

      At the moment I have a pre-existing WAR file and I have created a new directory in the WAR file that holds the jar files specific to the jws app.

      So on Tomcat I would have something very typical like this when my-web-app (not its real name!) WAR was exploded:


      but with an additional folder that would hold the java webstart specific jars:


      This works fine - in the ant build I can copy all the required jars to my my-jws-app/lib folder, sign them and add the folder to the my-web-app.war. All is good.

      In the JNLP file I would have something like this:

      <jar href="my-web-app/my-jws-app/lib/fast-md5-2.6.2.jar"/>
      <jar href="my-web-app/my-jws-app/lib/forms-1.3.0.jar"/>
      <jar href......

      I'm now wondering though if this is the best way to do this. One issue is that by default the jar files would be accessible if a user typed in http://somehwhere.com/my-web-app/my-jws-app/lib/fast-md5-2.6.2.jar where as if they were in the webapps\my-web-app\WEB-INF\lib folder they wouldn't.

      The problem is that if I put the jars required for the jws app in the \WEB-INF\lib folder it gets a bit of a mess of jars for different purposes, some of which would be signed for jws purposes, some not. I also currently generate the JNLP file on the fly in a Servlet and so build up the list of required jars by getting the ServletContext.getResourcePaths for the my-jws-app\lib folder. If all the jars were in the \WEB-INF\lib folder I would probably have to hardcode in the Servlet the required jars for the java web start app.

      Maybe I should create a specific web-start.war - but I would rather not do this? How does anyone else deploy their JWS jar resources?



      Edited by: user13400783 on 01-Sep-2011 01:25

      Edited by: user13400783 on 01-Sep-2011 01:26
        • 1. Re: Deployment location of Jar <resources>.  Best practices?
          Well you are trying to protect your JARs from beeing downloaded ... but somehow the JARs are actually needed by the client to run the application.
          So why should you care that anybody can access those JAR files by simply entering the URL in the browser that directly points to the JAR?
          I mean any user that runs the Java-Webstart application will download it (programatically) by the JNLP. So after that moment the file is on the disk of every client. Any user can now go to its temporary Internet files, and unzip the JAR to see the content.

          The rule is that simple: Don't put any confidential data/passwords/auth-stuff in the JAR!

          What we do for example to protect/auth is that we initialize the WebStart application in its init method with a SessionToken.
          You can pass init-arguments in the JNLP file.
          So you deliver every time a different JNLP file that contains a session-token in the init-arguments to validate the client when it does register to your remote services (if you have any).
          I think creating the JNLP file by a servlet / on demand is a common usage scenario (and also the desired way to bring some session variables / auth stuff into the client).