blog.christoffer.online
Hi, my name is Christoffer and I am an Internet addict.

Creating an HTML web app with a seamless system access by using Java Web Start

2011-01-30 10:57

It’s not a secret that desktop applications can be a pain for both developers and for their end users. Even though desktop applications still have some advantages over web applications, I personally always aim for creating web applications, due to they are easy to access, they don’t require an installation, they are always up to date and they are cross-platform compatible.

However, most web applications share one big disadvantage compared to desktop applications - they don't have system access the user’s computer. Meaning, they can’t read or write files stored on the user’s computer. They cannot launch internal applications, or even change the desktop wallpaper. This can be argued front and back if this is really a disadvantage or a well needed security solution. But wouldn’t it be neat to be able to visit a wallpaper gallery site and with a single click on a wallpaper, it automatically changes the desktop wallpaper on your computer? Well, creating such a system is not actually not that far fetched.

Even though we have a lot of rich Internet applications frameworks, such as Adobe Flash and Shockwave, Microsoft Silverlight and even HTML 5 on the horizon, we try and avoid creating full websites using those frameworks (not HTML5 though, but the others) due to search engine optimization difficulties, nor can anyone of them perform the same system actions a Java Web Start application can.

The basic idea of creating a seamless bridge between HTML and Java Web Start

So my goal is to make a simple search engine friendly HTML site which only uses Java Web Start where a system operation is absolutely needed. The fewer Java Web Start calls that are needed, the better. The user should not really notice the bridge between the website and the Java logic.

A brief demonstration with code

In this demonstration I am going to create a simple site that allows the visitor to choose between two classic Windows applications to start; the Calculator and the Notepad. Nothing too fancy, but it will show what’s needed to bind everything together.

Creating the site

First off I create a very basic HTML page that contains two links.

<html>
  <head>
    <title>Windows application launcher</title>
  </head>
  <body>
    <h1>Windows application launcher</h1>
    <p>Please select an application you would like to start:</p>
    <ul>
    <li><a href="calc.jnlp">Calculator</a></li>
    <li><a href="notepad.jnlp">Notepad</a></li>
    </ul>
  </body>
</html>

As you might notice that the two links points towards JNLP files (which I will soon also create). These files will launch my Java application which will in turn start the Windows application.

alt text

Creating the Java application

Below is a simple Java application that starts the different applications based on the incoming argument; 0 for the calculator and 1 for the notepad.

public class WindowsApplicationLauncher {

    private static final long serialVersionUID = 1L;

    public static void main(String[] args) {

        String command = args[0];

        if ("0".equals(command)) {
            exec("calc");
        } else if ("1".equals(command)) {
            exec("notepad");
        } else {
            JOptionPane.showMessageDialog(null, "Unknown command '" + command + "'.");
        }

    }

    private static void exec(final String command) {

        try {
            Runtime.getRuntime().exec(command);
        } catch (Exception exception) {
            JOptionPane.showMessageDialog(null, exception.toString());
        }

    }
}

I export my application into a JAR archive and digitally sign it with Jarsigner. This is necessary since the application will be performing system actions.

Creating the JNLP files

Both calc.jnlp and notepad.jnlp contains a simple JNLP structure to launch our Java application.

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+">

    <information>
        <title>Windows Application Launcher</title>
        <vendor>blog.christoffer.online</vendor>
    </information>
   
    <resources>
        <j2se version="1.4+" href="http://java.sun.com/products/autodl/j2se"/>
        <jar href="http://localhost:8888/wal.jar"/>
    </resources>
   
    <security>
    <all-permissions/>
    </security>
   
    <application-desc main-class="src.WindowsApplicationLauncher">
        <argument>0</argument>
    </application>
 
</jnlp>

The file notepad.jnlp is an exact duplication of calc.jnlp, apart from that the now contains the argument 1.

Trying it all out

Now that all four files (the HTML, JAR and two JNLP files) are uploaded to the webserver, it’s time to take them for a test run.

The first time a user clicks on your link they are required to allow system access.

alt text

If you can't read what this security box says, it's because its in Swedish! :-)

If they choose to always trust the content, every time they click on the a link the application would start immediately without any questions.

A word of caution

Like all software you are unfamiliar with, granting system access should always be done with caution and should only be given to trusted websites and organizations. You never know if the software is actually a malicious software that reads and sends your private data (such as your passwords) or has the intention to totally break down your computer in one or another way. Especially when it involves Java Web Start applications, since I am not sure that even the sharpest Antivirus software out there can spot a malicious Java Web Start application.

Adding additional security

In my example, I only did the basics to to give a fast workable demonstration. However, if this should be done in a proper project for real users, it would be a good idea to add additional security measures, such as checksums or data encryption or other ways to validate the correct usage of your application.

Use JavaScript and AJAX

Instead of creating links directly to JNLP files, it is also possible to use create background AJAX requests that launches the application. Making it possible to embed these actions calls in JavaScript.

Some other examples of usage

Even though my Windows application launcher is awesome, there might be some other useful services which can utilize this, such as:

There are probably even way more cooler ideas for possible sites, if they only had system access :-)

Old comments from Blogger

Stephen January 31, 2011 at 12:36 AM

the negative security implications of this "great idea" scare me. And I'm not coming up with any compelling use case for it that would outweigh the negatives.

Christoffer Pettersson January 31, 2011 at 1:16 AM

Hehe, thanks Stephen for saying "Great idea" ;) I have seen it done before, and thought it was an interesting idea :-)

The security risks are always there, for all third-party applications a user runs - not only Java Web Start applications. If done correctly, this should not have any greater security implications than any other Java Web Start application though.