8

I've got an internal only app that I've historically self-signed. With the latest version of Java, self-signing for JNLP is deprecated. I have also experienced strange problems with opening sockets from self-signed apps with Java 7U25 (but work fine when run as a normal jar from the command line).

Is there a way to do JNLP without signing at all? Given that it's an internal only app, signing is not necessary (to me). I really don't want to spend money buying a certificate when it's not truly necessary.

Brian Knoblauch
  • 20,639
  • 15
  • 57
  • 92

5 Answers5

5

It seems that the coming Java 7u40 recognises the need for a solution and provides a new feature:

In an enterprise that provides a common execution environment and manages the applications that employees access, the Deployment Rule Set feature enables the enterprise to establish a whitelist and a blacklist of known applications.

assylias
  • 321,522
  • 82
  • 660
  • 783
3

I have just made a "Java-Application with a certification with a trusted authority" in Java 7u45 with a self-signed certificate.

In the Manifest I have set the Permissions as "all-permissions" and I have deleted the tags about security in the jnlp. Then I have exported my own self signed certificate and imported in the Java Control Panel of my Desktop

In this way there is no Warning about the future release blocking the application.

I hope this helps.

Laura Liparulo
  • 2,849
  • 26
  • 27
2

Yes, possible (but not recommended).

If you are using it only internally (locally) you could lower your java security settings from high to middle then you are able to execute your app again. But then I would probably deactivate your web browser plugin...

Lonzak
  • 9,334
  • 5
  • 57
  • 88
  • 2
    but this will only work with Java versions having multiple levels of security settings. In future versions there will only be the "highest" level according to some oracle statements – mschenk74 Aug 13 '13 at 15:25
  • to me setting the security to "middle" didn´t help. – Laura Liparulo Jan 08 '14 at 14:51
2

I've built a portable JAVAWS launcher for JNLP files that come from IPMI / IMM / ILO / IRMC / IDRAC / KVM servers that should work on a fair high number of old servers. Security settings in my portable launcher are already preset to support prehistoric devices.

You can find the project at https://github.com/netinvent/ipmi-starter

You can also check out the explanation of jre\lib\security\java.security settings in the README, allowing to tweak various security settings, allowing to use old java apps with expired certificates.

Orsiris de Jong
  • 2,819
  • 1
  • 26
  • 48
1

No, sorry. :)

Each JNLP-component has to be signed AND they all have to be signed with the SAME certificate for the application to run. You also have to sign foreign libraries ( jars etc. ) that you want to include in your app.

I have no information, that self-signing jnlp components may be deprecated? You can use the keytool to create a keystore and the certificate.

Find Oracle's documentation about JNLP here: http://www.oracle.com/technetwork/java/javase/index-142562.html

Hope this may help you?

Greetings Christopher

Christopher Stock
  • 1,399
  • 15
  • 18
  • The information I have says that self-signed JNLP launches are deprecated as of Java 7U21. :( – Brian Knoblauch Aug 12 '13 at 14:43
  • It really feels like Oracle is abandoning JNLP. It just doesn't seem to get any love anymore. Is there a new technology coming along in Java that I can migrate to? Or perhaps something 3rd party? I hate to reinvent the wheel by writing my own launcher... – Brian Knoblauch Aug 12 '13 at 14:44
  • @BrianKnoblauch One thing with self signed certificate is that you get a warning - but I don't think it is deprecated – assylias Aug 12 '13 at 15:15
  • 1
    The Netbeans "Web Start" configuration panel states: "Warning: Unsigned and self-signed WebStart Applications and Applets are deprecated from JDK7u21 onwards. To ensure future correct functionality please use trusted certificate." [sic] – Brian Knoblauch Aug 12 '13 at 15:24
  • 1
    *"Each JNLP-component has to be signed AND they all have to be signed with the SAME certificate for the application to run. You also have to sign foreign libraries ( jars etc. ) that you want to include in your app."* Not entirely relevant to this question, but that is misleading. All Java files in any ***one*** JNLP file should be signed using the same certificate, but each extension/component JNLP can (and normally would) be signed by a 3rd party using a different certificate. – Andrew Thompson Aug 13 '13 at 01:18