This discussion is archived
3 Replies Latest reply: Feb 26, 2013 7:30 PM by jsmith RSS

Signing a JavaFX application

993385 Newbie
Currently Being Moderated
Hi!
I have two questions regarding signing of a JavaFX application:
1. In the documentation I read that there is no need to sign an application. But when I try to run a sample application (without any need of special security) in a web browser, I get a runtime error if I don't sign the application before. Is it necessary to sign a JavaFX application if it is intended to run in the browser?
2. I am signing my JavaFX application with the corresponding Ant-Task. So far I created a keystore a self signed certificate and it works.
Is it possible to use a commercial certificate I use for an apache webserver and how? I could not find any information concerning this topic.
Thanks in advance!
  • 1. Re: Signing a JavaFX application
    James_D Guru
    Currently Being Moderated
    990382 wrote:
    Hi!
    I have two questions regarding signing of a JavaFX application:
    1. In the documentation I read that there is no need to sign an application. But when I try to run a sample application (without any need of special security) in a web browser, I get a runtime error if I don't sign the application before. Is it necessary to sign a JavaFX application if it is intended to run in the browser?
    It depends on what your application is doing, but in the majority of cases the answer is "yes". Certain actions are prohibited for embedded applications unless they specifically request permissions for them, and to do so the application needs to be signed. Examples of these actions are reading and writing to the file system, or some actions with multithreading. Another important example is suppressing access checks in order to manipulate inaccessible (usually private) fields or invoke inaccessible methods by reflection. Injection of FXML-defined objects into a controller relies on being able to do this. So in short, an application that uses FXML will almost always need to be signed.
    2. I am signing my JavaFX application with the corresponding Ant-Task. So far I created a keystore a self signed certificate and it works.
    Is it possible to use a commercial certificate I use for an apache webserver and how? I could not find any information concerning this topic.
    Thanks in advance!
    You need to import the commercial certificate into the keystore. I've never needed to do this (at least, not yet), but there is some documentation on how to do so [url http://docs.oracle.com/javase/tutorial/security/toolsign/signer.html]here. The optional step (between steps 3 and 4) is the one of interest to you.
  • 2. Re: Signing a JavaFX application
    jsmith Guru
    Currently Being Moderated
    Don't use a web server certificate. Use a code signing certificate:

    http://www.thawte.com/code-signing/content-signing-certificates/sun-java/index.html
  • 3. Re: Signing a JavaFX application
    jsmith Guru
    Currently Being Moderated
    See these related threads:

    Re: In need of opinion - desktop shortcut, security warning. "Security Warning"
    Signed Jars "Signed Jars"
    http://docs.oracle.com/javafx/2/deployment/packaging.htm#BABJGFBH "Sign the JAR Files"

    Oracle don't even bother signing their jars with an Oracle certificate. The Oracle JavaFX samples are just self signed.

    It has been a long time since somebody has asked about signing which tells me either signing is simple enough that no questions need to be asked or people are not signing their apps with a code signing certificate. My guess is that it is the latter.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points