From: John B. Matthews on
In article <Jar-20100520013251(a)ram.dialup.fu-berlin.de>,
ram(a)zedat.fu-berlin.de (Stefan Ram) wrote:

> When one follows a web link to an executable JAR on a
> webserver, it will be transferred via HTTP and then executed
> (for example, under Windows, after Java was installed). The
> operating system might ask the user for a confirmation and
> then will run the JAR.
>
> Many users do not know much about what a JAR is, so they
> might not be able to appreciate the possibly enhanced
> security of Applets or of Web-Start (is there any?)
>
> So, in order to enable someone to start a Java-Application
> via the Web, what might be some reasons to prefer one of
> those means above the other (a link to an executable JAR
> versus Web-Start)?

IIUC, a JAR runs with no security restrictions, while a Java Web Start
program is launched with whatever permissions are defined in the
controlling JNLP file. As concrete examples, this game's JNLP requests
no special permissions; by default, it runs in a restricted, "sandbox"
environment:

<http://sites.google.com/site/drjohnbmatthews/buttons>

In contrast, this game requests access to the local file system in
order to save preferences:

<http://robotchase.sourceforge.net/>

When run, the first engenders no security dialog; the seconds does.
Both JAR's are signed to mitigate the risk of tampering.

More details here:

<http://java.sun.com/docs/books/tutorial/deployment/webstart/security.html>

--
John B. Matthews
trashgod at gmail dot com
<http://sites.google.com/site/drjohnbmatthews>
From: Andrew Thompson on
On May 20, 9:39 am, r...(a)zedat.fu-berlin.de (Stefan Ram) wrote:
>   When one follows a web link to an executable JAR on a
>   webserver, it will be transferred via HTTP and then executed
>   (for example, under Windows, after Java was installed). ..

On Ubuntu Linux the user would be offered many options,
including 'save to disk' and 'open in archive manager'.

> ..The
>   operating system might ask the user for a confirmation and
>   then will run the JAR.
>
>   Many users do not know much about what a JAR is, so they
>   might not be able to appreciate the possibly enhanced
>   security of Applets or of Web-Start (is there any?)

Already covered.

>   So, in order to enable someone to start a Java-Application
>   via the Web, what might be some reasons to prefer one of
>   those means above the other (a link to an executable JAR
>   versus Web-Start)?

JWS provides..
- Easy ways to add extra APIs and entire extensions
(JOGL, Java3D etc.) to the application's run-time
classpath, including natives delivered specific for
the platform.
- Automatic update.
- Splash screens.
- Desk-top integration.
- APIs only available to JWS apps. like the
PersistenceService, the SingleInstanceService & the
ExtensionInsallerService that make some things very
much easier. E.G.s at <http://pscode.org/jws/api.html>
Note that Robot Chase app. mentioned by John could be
deployed sand-boxed, by using the PersistenceService.
- Fine-grained JRE versioning. For details see
<http://pscode.org/jws/version.html>
- ...

--
Andrew T.
pscode.org
From: Roedy Green on
On Thu, 20 May 2010 00:55:20 -0400, "John B. Matthews"
<nospam(a)nospam.invalid> wrote, quoted or indirectly quoted someone who
said :

>
>IIUC, a JAR runs with no security restrictions, while a Java Web Start
>program is launched with whatever permissions are defined in the
>controlling JNLP file. As concrete examples, this game's JNLP requests
>no special permissions; by default, it runs in a restricted, "sandbox"
>environment:

Further the browser/os may need to be configured to associate jars
with java.exe, otherwise it will just be saved to disk.

You can run an Applet in a jar with <APPLET or that other abomination.
--
Roedy Green Canadian Mind Products
http://mindprod.com

Beauty is our business.
~ Edsger Wybe Dijkstra (born: 1930-05-11 died: 2002-08-06 at age: 72)

Referring to computer science.