Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > WebStart API development - bypass security

Reply
Thread Tools

WebStart API development - bypass security

 
 
Andrew Thompson
Guest
Posts: n/a
 
      09-30-2006
Have any of you done any amount of development using
the webstart API?
<http://java.sun.com/products/javawebstart/1.0.1/javadoc/index.html>
(The FileService, ClipboardService, PersistenceService..)

I have found the development cycle to be a PITA, and am
looking for shortcuts.

The basic problem is that in order to access any of the
services, you cannot simply 'run your classes' in Java from
the command line - even if you add the JWS jar to the classpath,
the ServiceManager is not properly initialised, and
ServiceManager.getServiceNames()* returns a 0 length array.

*
<http://java.sun.com/products/javawebstart/1.0.1/javadoc/javax/jnlp/ServiceManager.html#getServiceNames()>

When launching via webstart itself, the application/applet
needs to be jar'd, and requires a JNLP file.

Fortunately, you can then test it from the command
line and local filesystem (avoiding the entire hassle of
uploading it to a server configured to send the correct
mime-type) by using the -codebase option on launch..
<http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/javaws.html#options>

But.. I find that even using the sand-boxed (no need to sign the code)
methods in one part of an application, I often need other parts of the
application to have 'full access' (libraries and native libs etc.).

To add code signing to that development test cycle is a killer,
is there is any way to tell the javaws launcher (either via options,
system configuration, or voodoo) to 'ignore all restrictions'
and simply run test code as 'trusted'?

Or is this a case of
"(slap the OP) Use an advanced IDE with ANT and this is all easy"?

Andrew T.

 
Reply With Quote
 
 
 
 
tiewknvc9
Guest
Posts: n/a
 
      09-30-2006
for free code signing certificate check out http://www.cacert.org/

I believe for testing, you can sign your own applications, which
results in a request for full system access when the code is first run.
The screen that appears says something like, "we dont trust this
person, so neither should you, but if you are foolish then click ok to
allow them to give you a virus and destroy your your computer"

done with jarsigner of course.

Signing your code locally (by yourself, the untrusted source), will
allow you to accept the hideous certificate mentioned above. But I
dont think that there is a way to test it without signing your code in
some way. Ant would be the way to go in my mind, if you felt up to it.
But you could always just leave a command prompt open with all your
build calls.

good luck


Andrew Thompson wrote:
> Have any of you done any amount of development using
> the webstart API?
> <http://java.sun.com/products/javawebstart/1.0.1/javadoc/index.html>
> (The FileService, ClipboardService, PersistenceService..)
>
> I have found the development cycle to be a PITA, and am
> looking for shortcuts.
>
> The basic problem is that in order to access any of the
> services, you cannot simply 'run your classes' in Java from
> the command line - even if you add the JWS jar to the classpath,
> the ServiceManager is not properly initialised, and
> ServiceManager.getServiceNames()* returns a 0 length array.
>
> *
> <http://java.sun.com/products/javawebstart/1.0.1/javadoc/javax/jnlp/ServiceManager.html#getServiceNames()>
>
> When launching via webstart itself, the application/applet
> needs to be jar'd, and requires a JNLP file.
>
> Fortunately, you can then test it from the command
> line and local filesystem (avoiding the entire hassle of
> uploading it to a server configured to send the correct
> mime-type) by using the -codebase option on launch..
> <http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/javaws.html#options>
>
> But.. I find that even using the sand-boxed (no need to sign the code)
> methods in one part of an application, I often need other parts of the
> application to have 'full access' (libraries and native libs etc.).
>
> To add code signing to that development test cycle is a killer,
> is there is any way to tell the javaws launcher (either via options,
> system configuration, or voodoo) to 'ignore all restrictions'
> and simply run test code as 'trusted'?
>
> Or is this a case of
> "(slap the OP) Use an advanced IDE with ANT and this is all easy"?
>
> Andrew T.


 
Reply With Quote
 
 
 
 
Andrew Thompson
Guest
Posts: n/a
 
      09-30-2006

tiewknvc9 wrote:
> for free code signing certificate check out http://www.cacert.org/
>
> I believe for testing, you can sign your own applications, which
> results in a request for full system access when the code is first run.


A self-signed certificate - that is what I am currently using
(for both testing and later deployment), and exaclty I want
to avoid *having* to do during *development*.

Andrew T.

 
Reply With Quote
 
tiewknvc9
Guest
Posts: n/a
 
      09-30-2006

Andrew Thompson wrote:
> tiewknvc9 wrote:
> > for free code signing certificate check out http://www.cacert.org/
> >
> > I believe for testing, you can sign your own applications, which
> > results in a request for full system access when the code is first run.

>
> A self-signed certificate - that is what I am currently using
> (for both testing and later deployment), and exaclty I want
> to avoid *having* to do during *development*.
>
> Andrew T.


I dont think that sun would allow that. Since a developer could
potentially release something to the public that was not signed,
starting with the command line code allowing full access to the
machine..

Java is a pain with security. But its probably a good move on their
end.

 
Reply With Quote
 
Daniel Dyer
Guest
Posts: n/a
 
      09-30-2006
On Sat, 30 Sep 2006 04:45:30 +0100, Andrew Thompson
<(E-Mail Removed)> wrote:
> I have found the development cycle to be a PITA, and am
> looking for shortcuts.

....
> Or is this a case of
> "(slap the OP) Use an advanced IDE with ANT and this is all easy"?


You don't necessarily need to use an IDE, but Ant would probably make
things easier (there's a built-in task for signing jars:
http://ant.apache.org/manual/CoreTasks/signjar.html). How do you do the
build currently?

I'm a big advocate of always having an automated, single-step build
process. It doesn't really matter whether that's achieved with Ant,
Maven, Make or some home-grown scripts. Once you have to execute more
than one command to do a build there's a chance of messing things up.

Dan.

--
Daniel Dyer
http://www.uncommons.org
 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      09-30-2006
Daniel Dyer wrote:
> On Sat, 30 Sep 2006 04:45:30 +0100, Andrew Thompson
> <(E-Mail Removed)> wrote:
> > I have found the development cycle to be a PITA, and am
> > looking for shortcuts.

> ...
> > Or is this a case of
> > "(slap the OP) Use an advanced IDE with ANT and this is all easy"?

>
> You don't necessarily need to use an IDE, but Ant would probably make
> things easier (there's a built-in task for signing jars:
> http://ant.apache.org/manual/CoreTasks/signjar.html). How do you do the
> build currently?


<whispers>command line based .bat files.</whispers>

> I'm a big advocate of always having an automated, single-step build
> process. It doesn't really matter whether that's achieved with Ant,
> Maven, Make or some home-grown scripts. Once you have to execute more
> than one command to do a build there's a chance of messing things up.


Yeah, thanks. I think I just needed to hear it.

I wish I could figure how to run Ant from the command line,
I'll need to hit the docs. (I have two "powerful IDE's" installed,
both of which can run Ant scripts, but one is utterly broken -
never starts up, the other broke when settings were overwritten
during a 1.2 install the other night.. long story..)

Andrew T.

 
Reply With Quote
 
Andrew Thompson
Guest
Posts: n/a
 
      09-30-2006
Andrew Thompson wrote:
> Daniel Dyer wrote:
> > On Sat, 30 Sep 2006 04:45:30 +0100, Andrew Thompson

....
> > > "(slap the OP) Use an advanced IDE with ANT and this is all easy"?

> >
> > You don't necessarily need to use an IDE, but Ant would probably make
> > things easier (there's a built-in task for signing jars:

....
> I wish I could figure how to run Ant from the command line,
> I'll need to hit the docs.


(a short time later...)
C:\Documents and Settings\Administrator>ant
Buildfile: build.xml does not exist!
Build failed

....Woo-Hoo!

That's progress, from..

C:\Documents and Settings\Administrator>ant
'ant' is not recognized as an internal or external command,
operable program or batch file.

Andrew T.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to allow a specific domain to bypass my forms-based security Larry Smith ASP .Net 8 01-07-2009 04:21 PM
How to allow a specific domain to bypass my forms-based security Larry Smith ASP .Net Security 7 01-07-2009 04:21 PM
WebStart API Examples? Andrew Thompson Java 2 10-09-2006 07:48 AM
Microsoft Office Embedded Shockwave Flash Object Security Bypass Weakness imhotep Computer Security 0 06-23-2006 03:49 AM
MSIE same name function security zone bypass vulnerability Patrick Dunford NZ Computing 0 07-15-2004 02:28 AM



Advertisments