18

A user is running a JNLP app which is launched from the browser. The *.jar file launched by the JNLP is signed by a Certificate issued by a trusted CA.

For the first time the jar file is launched, the user is asked a question whether he trusts the signer (not the CA - the CA is already trusted).

Question Dialog Box

If the user says yes, signer's certificate gets added to the trust store.

Question is: what are the conditions for the same dialog to be shown again?

  • Has the *.jar file called by the JNLP changed?
  • Has the JNLP itself changed?
  • Has the URL of the JNLP changed?

Which of these (or something else?) will trigger the dialog to be shown even after user has checked the "Do not show this again" checkbox initially?

Mikhail Kholodkov
  • 23,642
  • 17
  • 61
  • 78
user93353
  • 13,733
  • 8
  • 60
  • 122
  • 1
    *"A user is running a JNLP app which is launched from the browser."* Wow! Where are they? 2016? See [Java Plugin support deprecated](http://www.gizmodo.com.au/2016/01/rest-in-hell-java-plug-in/) and [Moving to a Plugin-Free Web](https://blogs.oracle.com/java-platform-group/moving-to-a-plugin-free-web). – Andrew Thompson May 25 '18 at 08:19
  • 2
    @AndrewThompson - JNLP is not the same as Applet or Java Plugin. JNLP Is what Oracle suggested to move to when they deprecated Applets and the Java Plugin - https://docs.oracle.com/javase/9/deploy/migrating-java-applets-jnlp.htm#JSDPG-GUID-1F95EBB3-D5CB-434A-B069-2261900738F5 – user93353 May 25 '18 at 10:06
  • *"JNLP is not the same as Applet or Java Plugin."* (polite cough) [jnlp topusers](https://stackoverflow.com/tags/jnlp/topusers) & [java-web-start topusers](https://stackoverflow.com/tags/java-web-start/topusers). I also wrote the tag Wikis for [applet](https://stackoverflow.com/tags/applet/info), [JWS](https://stackoverflow.com/tags/java-web-start/info) & [JNLP](https://stackoverflow.com/tags/jnlp/info). Read that last one for mention of the **Java Plugin** which launches applets, **and** both embedded and free floating JWS apps. So .. I know, a *little* about these things. O_o – Andrew Thompson May 25 '18 at 14:41
  • 1
    Your link https://blogs.oracle.com/java-platform-group/moving-to-a-plugin-free-web suggests - "developers of applications that rely on the Java browser plugin need to consider alternative options such as migrating from Java Applets (which rely on a browser plugin) to the plugin-free Java Web Start technology." - JNLP is the plugin-free Java Web Start Technology. @AndrewThompson – user93353 May 26 '18 at 06:12
  • 2
    @AndrewThompson - An Applet uses the class `Applet`. A JNLP program launched from a Browser need not use the class `Applet`. I don't have any plugins installed in the browser. – user93353 May 26 '18 at 06:14
  • @user93353 if you don't know, JNLP and Java WebStart are deprecated in Java 9 and will be removed in a future release: http://www.oracle.com/technetwork/java/javase/9-deprecated-features-3745636.html – pyb Jul 06 '18 at 04:18

1 Answers1

1

I wasn't able to find a lot of information online about this subject, but I found, from this page of the Java Doc, that once the user accepts the certificate shown in the dialog, the application will be automatically granted permission

until the certificate expires or is removed from the trusted key store.

I couldn't find any more official text from the Java Doc that stated more about conditions that could trigger the same dialog again, but at this site, there was this statement:

... if the JNLP changes, then it's considered another application and therefore you see the Security Warning again.

which could mean that if the JNLP changes, then the dialog would be triggered again.

Also, if you wanted to restore the security prompts that you have allowed to run automatically, you could follow the steps shown here.

Hopefully this can help in some way and is related to what you're asking for.

0xCursor
  • 2,242
  • 4
  • 15
  • 33