 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / GUI / November 2007java webstart problem
Hi, I am trying to start a java app with webstart. I get the following error Missing signed entry in resource: http://localhost/formdesigner/lib/xercesImpl.jar The xercesImpl.jar is jarsigned any idea Johan >The xercesImpl.jar is jarsigned IIRC all the jars must be signed with the same certificate.  SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com On Wed, 24 Oct 2007 19:46:00 GMT, Roedy Green <see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted someone who said : >>The xercesImpl.jar is jarsigned > >IIRC all the jars must be signed with the same certificate. The problem is the user has to ok the certificate. If you had ten jars all signed with different certs, the user would have to ok them all individually. That would drive users nuts. So I think Sun said, ONE CERT ONLY. SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > The problem is the user has to ok the certificate. If you had ten jars > all signed with different certs, the user would have to ok them all > individually. That would drive users nuts. So I think Sun said, ONE > CERT ONLY. Doing it one-by-one would certainly driver users insane. It seems that is more of an interface issue. One could imagine a single dialog that would allow the examination and approval of multiple certificates. Now, granted, that would be more cumbersome, and one could imagine potential attempts to sneak in an unrecognized certificate in a longer list, but it would at least be something to consider. SignatureThomas A. Russ, USC/Information Sciences Institute ... > It seems that is more of an interface issue. One could imagine a single > dialog that would allow the examination and approval of multiple > certificates. With 'lazy' downloads - the app. might go to load 'secure' Jar's days, weeks or months after the app. is initially installed. These jar's might be coming from extensions that have different permissions from the original application, and originat from different sites. ( Mind you - the 'approve mulitple certs.' idea would probably work for 90%+ of current JWS apps. - few people seem to be using extensions or lazy downloads to any good effect. ) Sun also probably would not want to mix certificates from trusted and untrusted sources, a 'self signed' certificate will produce a different warning from one that was issued by a CA. Andrew T. >Now, granted, that would be more cumbersome, and one could imagine >potential attempts to sneak in an unrecognized certificate in a longer >list, but it would at least be something to consider. there is another reason. If you ok one cert, you have one person to blame if it does damage. Think of a general contractor giving you a list of 10 subcontractors to ok for some home improvements. You don't know them. You want HIM to vouch for them, and to be responsible for any damage they do. SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com Hi! > IIRC all the jars must be signed with the same certificate. Only the jars in one jnlp file must be signed with the same certificate. You can always have multiple jnlp files in a master-slave relationship. The main jar file will contain your jars and pointers to the other jars. I just did this with our stuff and bouncycastle in the dependent jnlp. brgds SignatureGunter Herrmann Orlando, Fl, USA On Mon, 29 Oct 2007 10:24:07 -0400, Gunter Herrmann <notformail0106@earthlink.net> wrote, quoted or indirectly quoted someone who said : >Only the jars in one jnlp file must be signed with the same certificate. >You can always have multiple jnlp files in a master-slave relationship. I have never heard of this. Is there an example posted of how this works? SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > On Mon, 29 Oct 2007 10:24:07 -0400, Gunter Herrmann > <notformail0106@earthlink.net> wrote, quoted or indirectly quoted [quoted text clipped - 5 lines] > I have never heard of this. Is there an example posted of how this > works? http://dawes.za.net/rogan/webscarab/WebScarab.jnlp refers to ./lib/help.jnlp, which includes the JavaHelp jar. My jars (and otherwise unsigned dependencies) are signed with my own private key, but the JavaHelp jar is already signed by Sun, so I use a separate JNLP to save me having to un-sign and re-sign the jar myself. As a downside, the webstart client now has to check two .jnlp files for updates each time it starts up, adding latency, but "them's the breaks", I guess. Rogan >http://dawes.za.net/rogan/webscarab/WebScarab.jnlp refers to >./lib/help.jnlp, which includes the JavaHelp jar. My jars (and otherwise >unsigned dependencies) are signed with my own private key, but the >JavaHelp jar is already signed by Sun, so I use a separate JNLP to save >me having to un-sign and re-sign the jar myself. Let's figure out how this works. Here is the main JNLP file. <jnlp spec="1.0" codebase="http://dawes.za.net/rogan/webscarab/" href="http://dawes.za.net/rogan/webscarab/WebScarab.jnlp"> <information> <title>WebScarab</title> <vendor>Rogan Dawes</vendor> <homepage href="http://dawes.za.net/rogan/webscarab/"/> <description>A web application testing tool.</description> <description kind="short">A web application testing tool.</description> <description kind="tooltip">WebScarab</description> <icon href="http://dawes.za.net/rogan/webscarab/icon.gif" height="64" width="64" kind="default"/> <icon href="http://dawes.za.net/rogan/webscarab/splash.gif" kind="splash"/> <shortcut online="true"> <desktop/> <menu submenu="WebScarab"/> </shortcut> <offline-allowed/> </information> <security> <all-permissions/> </security> <update check="timeout" policy="always"/> <resources> <property name="com.apple.macos.useScreenMenuBar" value="true"/> <property name="apple.laf.useScreenMenuBar" value="true"/> <property name="com.apple.mrj.application.apple.menu.about.name" value="WebScarab"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.6.0"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.6+"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5.0_06"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5.0_05"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5.0_04"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5.0_03"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5.0_02"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5.0"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.5+"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_10"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_09"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_08"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_07"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_06"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_05"/> <java initial-heap-size="134217728" max-heap-size="536870912" href="http://java.sun.com/products/autodl/j2se" version="1.4.2_04"/> <java href="http://java.sun.com/products/autodl/j2se" version="1.4.2_03"/> <java href="http://java.sun.com/products/autodl/j2se" version="1.4.2_02"/> <java href="http://java.sun.com/products/autodl/j2se" version="1.4.2_01"/> <java href="http://java.sun.com/products/autodl/j2se" version="1.4.2+"/> <jar href="http://dawes.za.net/rogan/webscarab/webscarab.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/bsf-2.3.0.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/bsh-2.0b1.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/chardet.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/concurrent.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/htmlparser.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/jcommon-0.8.7.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/jfreechart-0.9.12.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/tagsoup-1.0rc2.jar" download="eager" main="false"/> <jar href="http://dawes.za.net/rogan/webscarab/lib/wsdl4j.jar" download="eager" main="false"/> ------------------------------------- here's the magic. You point to a aux JNLP file <extension href="http://dawes.za.net/rogan/webscarab/lib/help.jnlp" name="Java Help"/> ------------------------------------- <nativelib href="http://dawes.za.net/rogan/webscarab/lib/windows_x86.jar" download="eager" main="false"/> </resources> <application-desc main-class="org.owasp.webscarab.WebScarab"/> </jnlp> ================================================ You normally bundle your Java Web Start application up into signed jars, just as as you would a signed Applet. You sign them with same code signing certificate and use the same tool jarsigner.exe. You usually build you apps and create the jars with ant, just as you would any Applet or application. All jars must be signed with the same certificate. This means you must unpack and resign jars built by somebody else. However, Rogan Dawes the author of WebScarab pointed out a way around that restriction. He discovered that if you have multiple JNLP files, all jars mentioned by each JNLP file must be signed with the same certificate, but different JNLP files can be signed with different certificates. Your master JNLP file includes an auxiliary JNLP file (which references jars signed with a different certificate) by inserting a line like this in the <resources> section: <extension href="http://dawes.za.net/rogan/webscarab/lib/help.jnlp" name="Java Help" /> see http://mindprod.com/jgloss/javawebstart.html#SIGNING SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > As a downside, the webstart client now has to check two .jnlp files for > updates each time it starts up, adding latency, but "them's the breaks", > I guess. If you use the version download protocol it only has to check the main jnlp file. I.e. if you specify versions for every resource referenced from the application jnlp file then WebStart can check if it has those versions without further reference to the server. In addition the request for the application JNLP file will include the modification date of the version it already has. The server does not need to send the JNLP file content with the reply if the modification date is still current. Thus all that is required is a single round trip with negligible content when nothing has changed. Mark Thornton >> As a downside, the webstart client now has to check two .jnlp files >> for updates each time it starts up, adding latency, but "them's the [quoted text clipped - 12 lines] > > Mark Thornton While we are talking about WebStart, I thought I'd mention a PHP utility that I wrote to allow those of us with cheap hosting plans to host WebStart-able applications easily. It works much as the Java JNLPDownloadServlet does, apart from supporting versioning of the jars. i.e. it will expand the $$ variables in the same way as the JNLPDownloadServlet, as well as sending the Pack2000 version of jars if the requestor indicates that they can handle them. This works quite nicely with maven2's webstart plugin, since it creates these automatically for you. I posted about it at: http://forum.springframework.org/showpost.php?p=121432&postcount=5 Comments welcome. Rogan > While we are talking about WebStart, I thought I'd mention a PHP utility > that I wrote to allow those of us with cheap hosting plans to host [quoted text clipped - 12 lines] > I posted about it at: > http://forum.springframework.org/showpost.php?p=121432&postcount=5 How strange --- I've done one too! Mine is running on a little Synology DS-101j NAS device. One catch is that this device doesn't support the Apache mod_rewrite or the addHandler functionality and thus every resource to be downloaded needs a little PHP stub, and thus all the URLs end in .PHP (e.g. myapp.jar.php). This introduces a couple of further issues: 1. The first release of Java 6 doesn't then work with signed jar files. It gives a security exception. Subsequent (and previous) releases don't have this problem. 2. Java 6 doesn't include pack.gz in the list of accepted encodings. Apparently this is also tied to the extension rather than the context. 3. Although the application then works, it never appears in the Java control panel applet's list of applications. Nor does it offer to create a shortcut or start menu entry. My PHP script processes any local URL's in JNLP files to append the necessary .PHP extension, as well replacing $$ macros. Anyway subject to the caveats above, I have now got it to work. Those issues and others meant it was a lot harder and took longer than I expected. As far as I can see the big problem is there is no minimum standard of what you can expect from a host in terms of what is permitted in .htaccess files. My Synology device is very restrictive in this respect. PHP also has a lot of 'optional' elements, so many useful functions may simply be missing. One of the advantages of Java is that so much is guaranteed to be present. Not so with PHP. Mark Thornton mthornton at optrak.co.uk >> While we are talking about WebStart, I thought I'd mention a PHP >> utility that I wrote to allow those of us with cheap hosting plans to >> host WebStart-able applications easily. > How strange --- I've done one too! Mine is running on a little Synology > DS-101j NAS device. One catch is that this device doesn't support the [quoted text clipped - 6 lines] > It gives a security exception. Subsequent (and previous) releases don't > have this problem. I have seen a problem with Java 6 where it throws SecurityExceptions if the signed .jar is empty. Is that what you are referring to? > 2. Java 6 doesn't include pack.gz in the list of accepted encodings. > Apparently this is also tied to the extension rather than the context. > > 3. Although the application then works, it never appears in the Java > control panel applet's list of applications. Nor does it offer to create > a shortcut or start menu entry. You are probably missing something simple. You might like to compare the series of conversations between WebStart and your device, and between WebStart and a real download servlet using an intercepting proxy like WebScarab. You will probably see some missing headers or something. > My PHP script processes any local URL's in JNLP files to append the > necessary .PHP extension, as well replacing $$ macros. > > Anyway subject to the caveats above, I have now got it to work. Those > issues and others meant it was a lot harder and took longer than I > expected. Neat. > As far as I can see the big problem is there is no minimum standard of > what you can expect from a host in terms of what is permitted in > .htaccess files. My Synology device is very restrictive in this respect. > PHP also has a lot of 'optional' elements, so many useful functions may > simply be missing. One of the advantages of Java is that > so much is guaranteed to be present. Not so with PHP. Yes, you are absolutely right. The lack of consistency is a pity. I did tried not to use anything *too* sophisticated, but I guess you are running in a seriously resource constrained environment. > Mark Thornton Regards, Rogan P.S. Sorry for the late reply, I have been travelling without access to my news feed. >> 3. Although the application then works, it never appears in the Java >> control panel applet's list of applications. Nor does it offer to [quoted text clipped - 4 lines] > WebStart and a real download servlet using an intercepting proxy like > WebScarab. You will probably see some missing headers or something. Very likely, but it will be a while before I can get back to look at it. I'm snowed under with other work. > Yes, you are absolutely right. The lack of consistency is a pity. I did > tried not to use anything *too* sophisticated, but I guess you are > running in a seriously resource constrained environment. Very much resource constrained, but that is also part of the appeal --- unlike my main computer it is left on 24/7 and consumes very little power. Mark Thornton > While we are talking about WebStart, I thought I'd mention a PHP utility > that I wrote to allow those of us with cheap hosting plans to host > WebStart-able applications easily. Incidentally my my version also recognises the version download protocol, with versions specified by both the filename encoding and the version.xml file. Mark Thornton On Thu, 01 Nov 2007 20:18:24 GMT, Mark Thornton <mark.p.thornton@ntl-spam-world.com> wrote, quoted or indirectly quoted someone who said : >Incidentally my my version also recognises the version download >protocol, with versions specified by both the filename encoding and the >version.xml file. is yours posted for public use? SignatureRoedy Green Canadian Mind Products The Java Glossary http://mindprod.com > On Thu, 01 Nov 2007 20:18:24 GMT, Mark Thornton > <mark.p.thornton@ntl-spam-world.com> wrote, quoted or indirectly [quoted text clipped - 5 lines] > > is yours posted for public use? Not yet. I did put in an early version into the SwingLabs project on java.net, and will commit the current version there too when I have done a bit more testing. You can delete the "-spam-" bit from the email address attached to this message to get in touch with me. Mark Thornton Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.