Java Web Start is a technology bundled with the Java Runtime Environment that allows applications written in Java to be distributed from a central location and executed on a user’s desktop. It is the successor to Java Applet technology and allows execution of client-side implementations outside the bounds of a Web Browser. The client-side code still executes inside a sandbox environment and allows limited access to the native desktop resources and features for security purposes.
How it works
A Java Web Start application is defined as a collection of JAR and ZIP files containing a set of Java classes and supporting resources such as images, XML, properties and HTML files. Recent versions of Java Web Start even allows transmission of native libraries such as Windows dll, Unix .so files and packages into JAR files for execution on the client desktop. These files are assembled and described as a single application using a manifest file created with specifications described in the Java Network Launch Protocol (JNLP) specifications. The manifest file (also called the JNLP file) is essentially an XML file that is saved with the .jnlp extension. Shown below is the content of a sample JNLP file:
<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="http://myserver.com/sampleapp" href="webstart.jnlp"> <resources> <j2se version="1.7+" href="http://java.sun.com/products/autodl/j2se"/> <jar href="startup.jar" main="true" /> <jar href="sampleapp.jar" /> </resources> <application-desc name="Sample Application" main-class="mypkg.sampleapp.startup.Main" > </application-desc> <update check="background"/> </jnlp>
The following are implied by this JNLP file:
- All application code-bases and resources, including this JNLP file, are available at the network location http://myserver.com/sampleapp. All relative references to files must be resolved against this base URL.
- The application is named ‘Sample Application’ and comprises of two jar files: startup.jar and sampleapp.jar.
- The class with the main method has the fully qualified name of mypkg.sampleapp.startup.Main. This class can be found within the startup.jar file.
- The application requires a minimum of Java version 1.7 to run. If the corresponding JRE is not available on the client machine it will be downloaded from the location http://java.sun.com/products/autodl/j2se.
All jar/zip files and the manifest files are hosted on a web server for remote access over HTTP. The host name of the web server and the relative path therein to access these files must match the base URL and file names specified in the JNLP file. This check is applicable also for the JNLP file itself.
The usual practice to start the application is to use a Web browser, like Internet Explorer or Mozilla Firefox, to load a page that contains a link to the JNLP file. Upon clicking the link, the browser invokes the JNLP launcher (part of the Java Web Start distribution) on the client desktop and passes on the URL to the JNLP file.
The JNLP launcher then downloads the manifest file, reads the same, and then downloads all other JAR and ZIP files mentioned in the manifest. The launcher then executes the main Java class (also mentioned in the manifest file) to start the application.
Each resource file mentioned in the JNLP manifest carries a version number. A version number is also associated with the manifest file. These numbers should change as the corresponding resources are updated for a newer version of the application. This allows Java Web Start to selectively download only those portions of the application that has undergone a change.
The check for updates is performed at the time of application startup if a network connection is available. The net outcome is to allow for incremental updates with optimal utilization of network bandwidth.
All downloaded resources are cached on the client side by the JNLP launcher. These resources are accessed from the local cache when the application is launched the next time. This reduces the time taken to start a Web Start application. The resources remain in the cache until there is a change in the version number as defined by the JNLP file.
Applications distributed and launched using Web Start can optionally be installed on the client-side in a more permanent fashion. Desktop shortcuts created allow these offline applications to be launched directly from within Java Web Start without opening a remote site in a browser and without network connectivity.
The following sample JNLP fragment shows how a Web Start application can be defined to have offline launch capabilities:
<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="" href=""> <information> <title>Application Title Goes Here</title> <vendor>Vendor Name Goes Here</vendor> <icon href="someicon.jpg"/> <offline-allowed/> </information> ... </jnlp>
Applications executed via Java Web Start execute in a sandboxed environment defined by Web Start. This sandbox limits access to the local desktop and resources from within the application being executed. Specifically,
- The application will have no access to the local disk other than specific locations defined by the sandbox.
- All resources required by the application can only be loaded from JAR files mentioned in the JNLP manifest.
- No execution of native libraries, even if they are made available as part of the JNLP definition.
- All jar files that constitute the application must reside on the same host URL.
- No access to network other than the host from which this application originates.
Some of these restrictions may be relaxed at runtime after display of suitable warnings and confirmation prompts that the user must explicitly allow.
To allow unrestricted access to local resources and the network, all jar files that constitute the application must be signed using a digital certificate from an established authority. This gives the user a choice to trust the signer and grant the application to access local resources. If the certificate is not from an established authority, the system may still grant unlimited access, provided the user explicitly grants the same through a confirmation dialog.
In addition, the manifest file (MANIFEST.MF) within all application jar files must include the following key-value pairs for the corresponding jar to be executed in an unrestricted manner:
Permissions: all-permissions Codebase: * Trusted-Only: true Trusted-Library: true
Additionally, modify the JNLP manifest file to include the following:
<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="" href=""> ... <security> <all-permissions/> </security> ... </jnlp>
Even with all these relaxations in place, the Java Web Start may still prompt the user for a confirmation before privileges are granted to the executing application.
Java Web Start can eliminate one of the significant overheads faced by nearly all desktop application providers: that of distribution of their end products and periodic updates of the same. End users can have the luxury of working with really complex applications on their local environment without undergoing the pains of download and installation. The technology lives up to the long-time promise of “the network as the computer” and blurs the lines between applications and services.