I used Java Web Start as a "poor man's installer" for a Java client app that allows students to check their homework assignments. The app needs "all permissions", so I simply signed it with a worthless self-signed certificate. The Web Start security dialog is complete gibberish to 99% of end users, which works in my favor. Something is wrong here. Should the JNLP API be less convoluted, so that it is easier to live in the sandbox. Should it be less of a hassle for an individual to get a real certificate?

I am working on a Java client application to accompany a textbook. It allows students to check their programming assignments before they turn them in. After a few days of hacking, I was ready to show it to my editor.

No big deal, I thought. I'll just zip it up and tell him to unzip and run it. Open a command shell and run

java -classpath labrat.jar:$ANT_HOME/lib/ant.jar
   :$ANT_HOME/lib/ant-contrib.jar com.horstmann.labrat.Main

Ok, maybe not. I can't very well have my editor install Ant and Ant-Contrib, set an environment variable, and open a command shell.

No big deal, I thought. I'll just JAR everything up and make a self-running JAR. He can double-click on it. But you can't put JAR files inside a JAR file, and I wasn't about to un-JAR the Ant libraries. That just seemed too dirty. I tried One-JAR, and it almost worked, but the embedded Ant couldn't load task definitions. I should have shown my manly manhood by hacking a path through the festering mess of class loaders, but I didn't.

What do people do to install Java apps on Windows? Windows users want to click to install the app, and click again to launch it. I suppose one needs an EXE wrapper or an installer, such as Launch4J or IzPack, or both. This seemed to be a great deal of trouble.

I was reluctant to use Java Web Start. One always reads horror stories such as this one. But I ended up using it anyway. It neatly solved my JAR problem and my click problem. You list JAR files in the JNLP descriptor, and you add a hint to install shortcuts that the user can click. Not bad at all. As an added bonus, I can keep tweaking my prototype and know that the users will always run the latest version.

But there is one incredibly sucky thing about Web Start--the security dialog. If your app can run in the sandbox, such as the demonstration version of Violet, this is not an issue. (The Web Start sandbox is much better than the applet sandbox--maybe a topic for another blog.)

But this app can't run in the sandbox. It compiles and runs arbitrary programs. I must digitally sign the app. I don't want to go through the trouble of getting a code certificate. It's a huge hassle for an unincorporated individual. No problem, I use a self-signed certificate. My users now see this warning:


This is completely bogus!!!

How many users out there have a clue what a digital certificate is, or what it means that the certificate is self-signed?

To make it worse, this article shows how to use a Thawte e-mail certificate to make the dialog look like this:


Well, if he is a Thawte Freemail Member, this guy must be safe...NOT. But is John Q. Surfer going to know that?

This is a mess.

Why show an end user something they can't reasonably comprehend? Why let them run something unsafe, or even worse, add a certificate into their store, with a single click?

How did we get into this mess?

If the JNLP API wasn't so convoluted, it would be easier for developers to write apps that are useful in the Web Start sandbox. And if it was easier for a reputable developer to get a certificate, then there would be no reason to allow completely worthless self-signed certificates.

Is anyone working on improving the JNLP API? (No, I don't want to start a JSR.) Is it possible to issue certificates to individual programmers at a reasonable cost, while still having a reasonable level of security?