Web Start: I used to love her, but I had to kill her

Axel Rose was probably not a Swing developer, but I think even he would agree that Web Start is simply unusable for delivering desktop Java applications over the web. I have been a Swing developer for many years and have deployed many of these applications via Web Start. In Web Start’s early days it was a welcome addition. In the corporate world, you no longer had to physically sitting in front of a user’s desktop and copy files to the local disk. For developers distributing content over the web, it meant you no longer had to create a distribution which included start up scripts for multiple platforms. Further, you could even update the application and it would be automatically downloaded to the user the next time the application was run.

Web Start took a turn for the worse with 1.6. It appeared to have been rewritten from scratch and was rife with bugs. Eventually it stabilized and all was good once again. Unfortunately, Web Start’s stability would come under attack as security vulnerabilities were discovered. Oracle scrambled in response to these attacks and to this day, produces micro releases of the JRE, which contain substantial security functionality changes. While these changes were a step towards securing the JRE, upgrading the JRE meant some applets and Web Start applications would be blocked by the JRE.

In a corporate environment, where Web Start applications are only deployed internally, it didn’t make sense to block these applications. However, a JRE cannot easily determine what is internal and safe or what is external and fraught with potential danger. However, with the release of JRE 1.7.0_40, Oracle include the Deployment Rule Set (DRS) functionality, which targets the corporate environment. To secure internal applications with DRS you might use the following:

* A certificate (self-signed or otherwise)
* All internal application jars to be signed using the certificate
* The certificate is added to the Signer CA certificate repository for the client’s active JRE (if you upgrade the JRE, you may have to import the certificate again)
* A DeploymentRuleSet.jar file, signed by the certificate and installed in the clients operating system (the location depends on the OS)

The DeploymentRuleSet.jar file contains a single ruleset.xml file. This file describes the behaviour the JRE should for applets and Web Start applications based on where they are hosted. With these rules an organization can deploy internal Java applications and forego the nightmare of JRE security altogether.

Publicly hosted applets and Web Start applications are not so lucky. The authors of such applications don’t control their clients’ desktop environments and consequently the Deployment Rule Set functionality is not applicable. This category of applications must jump through other hoops. These applications may be run on a variety of JRE versions. Unless you support the security of the latest JRE, some users may not be able to run your application. This situation is complicated by the frequency of security updates in the JRE. Just because your application works with JRE 1.7.0_40 does not mean it will work with JRE 1.7.0_72. And long gone are the days of using self-signed certificates. I went to the trouble of buying a (extended validation) Comodo certificate only to find that JRE 1.8 still didn’t like my Web Start applications. I should also mention that there are a half a dozen META-INF/manifest.mf properties you had better include in your main jar or JRE 8 (and probably earlier versions, but 8 is what I was testing with) will block it.

It has been a long and bumpy ride, but it has ended in a crash. I am abandoning Web Start altogether in favor of a zip distribution which contains scripts to start the application locally. Honestly, I could not feel better about it. Web Start has been such a hindrance that I welcome the freedom of the zip distribution. If anyone has had a more positive experience deploying Web Start applications over the web since JRE 1.7 became main stream, I would be interested to hear about it.

Posted in Web Start | Leave a comment