Skip to main content

Certified Insecurity

Posted by cayhorstmann on July 12, 2006 at 7:09 PM PDT

I am working on a Java client application to accompany a textbook. It
allows students to check their programming assignments before they turn
them in. After a few days of hacking, I was ready to show it to my editor.

No big deal, I thought. I'll just zip it up and tell him to unzip and
run it. Open a command shell and run

java -classpath labrat.jar:$ANT_HOME/lib/ant.jar
   :$ANT_HOME/lib/ant-contrib.jar com.horstmann.labrat.Main

Ok, maybe not. I can't very well have my editor install href="">Ant and href="">Ant-Contrib, set an
environment variable, and open a command shell.

No big deal, I thought. I'll just JAR everything up and make a
self-running JAR. He can double-click on it. But you can't put JAR files
inside a JAR file, and I wasn't about to un-JAR the Ant libraries. That
just seemed too dirty. I tried href="">One-JAR, and it almost worked,
but the embedded Ant couldn't load task definitions. I should have shown
my manly manhood by hacking a path through the festering mess of class
loaders, but I didn't.

What do people do to install Java apps on Windows? Windows users want
to click to install the app, and click again to launch it. I suppose one
needs an EXE wrapper or an installer, such as href="">Launch4J or href="">IzPack, or both. This seemed to
be a great deal of trouble.

I was reluctant to use Java Web Start. One always reads horror stories
such as href="">this
one. But I ended up using it anyway. It neatly solved my JAR problem
and my click problem. You list JAR files in the JNLP descriptor, and you
add a hint to install shortcuts that the user can click. Not bad at all.
As an added bonus, I can keep tweaking my prototype and know that the
users will always run the latest version.

But there is one incredibly sucky thing about Web Start--the security
dialog. If your app can run in the sandbox, such as the demonstration
version of Violet, this is not
an issue. (The Web Start sandbox is much better than the applet
sandbox--maybe a topic for another blog.)

But this app can't run in the sandbox. It compiles and runs arbitrary
programs. I must digitally sign the app. I don't want to go through the
trouble of getting a code certificate. It's a huge hassle for an
unincorporated individual. No problem, I use a self-signed certificate. My
users now see this warning:


This is completely bogus!!!

How many users out there have a clue what a digital certificate is, or
what it means that the certificate is self-signed?

To make it worse, this
shows how to use a Thawte e-mail certificate to make the
dialog look like this:


Well, if he is a Thawte Freemail Member, this guy must be safe...NOT.
But is John Q. Surfer going to know that?

This is a mess.

Why show an end user something they can't reasonably comprehend? Why
let them run something unsafe, or even worse, add a certificate into their
store, with a single click?

How did we get into this mess?

If the href="">JNLP
API wasn't so convoluted, it would be easier for developers to write
apps that are useful in the Web Start sandbox. And if it was easier for a
reputable developer to get a certificate, then there would be no reason to
allow completely worthless self-signed certificates.

Is anyone working on improving the JNLP API? (No, I don't want to start
a JSR.) Is it possible to issue certificates to individual programmers at
a reasonable cost, while still having a reasonable level of security?

Related Topics >>


On OSX you can use the maven

On OSX you can use the maven plugin to create a dmg. My guess is that there are a few more java developers using Windows. You'd think there would be an easy workable solution to this problem.