« November 2007 | Main | February 2008 »

December 21, 2007

Eclipse and Java Web Start

Ever had one of those days where the universe is adamant that your problem will not be solved?

If you want such a day, try and get an Eclipse RCP application to deploy via Java Web Start.

If you would like to know all the reasons why your attempt to get this working will fail, read on.

Java Web Start is a feature built into Sun's Java runtime environment, and allows end users to launch Java applications by clicking on a link on a webpage. We desperately need a replacement for our rickity application deployment, and Java Web Start is bang on.

Eclipse seems to come to the party with a special launcher capable of being cranked up using Java Web Start. Sounds promising, until you try to use it.

at java.util.Hashtable.put(Unknown Source)
at org.eclipse.equinox.launcher.WebStartMain.basicRun(WebStartMain.java:77)
at org.eclipse.equinox.launcher.Main.run(Main.java:1173)
at org.eclipse.equinox.launcher.WebStartMain.main(WebStartMain.java:56)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.sun.javaws.Launcher.executeApplication(Launcher.java:1205)
at com.sun.javaws.Launcher.executeMainClass(Launcher.java:1151)
at com.sun.javaws.Launcher.doLaunchApp(Launcher.java:998)
at com.sun.javaws.Launcher.run(Launcher.java:105)
at java.lang.Thread.run(Unknown Source)

The cause is this quality piece of code. Notice the unhandled error condition:

String fwkURL = searchFor(framework, null);
if (fwkURL == null) {
System.getProperties().put(PROP_FRAMEWORK, fwkURL);

Google finds lots of people asking about the problem. Nobody yet has posted a solution.

Of course the solution is to find this bug and fix it, but Eclipse won't let you get away with that without a fight.

Java Web Start has a strong security model. In order for the application to be allowed any kind of meaningful access to the disk or network, the code needs to be signed by a trusted code signing certificate. Responsible stuff. If it worked.

The guys at Eclipse have included corrupted digital signatures in their released jars in Eclipse v3.3. The error you get is this:

java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

The guys at Sun have stepped in to ensure failure by forgetting to include functionality into the jarsigner tool to either replace or remove a signature.

So even if you could find a solution to the Java Web Start NullPointerException, you wouldn't get that far because the lack of signed jars would sink you long before that.

For a project that has such a strong pedigree, this amounts to some seriously bumbling on the part of the Eclipse guys. Codesigning is a big deal: for a major release to be shipped with broken signatures, and for those broken signatures to remain unfixed in subsequent point releases amounts to a serious failure of oversight.

If you want to get this to work, make sure some of these bugs get fixed:


December 18, 2007

A Boost of Stupidity

Advertised as "giving back" to the software development community, a freely downloadable Windows based installer is available of the Boost C/C++ library from here.

The installer contains a fatal flaw: it requires direct access to the internet, with no support for a proxy, before it will work properly. That pretty much renders the software useless in virtually all practical environments.

Installers that download from the net are by and large an exercise in making a simple problem into an unnecessarily complicated one, and are generally just dumb. If you are writing an installer, and you want your installer to access the net, please just don't, for sake of the rest of us with real work to do.

December 7, 2007

The Firewall Flaw

Firewalls, like security guards, eletric fences and alarm systems are a useful component of a security system. But firewalls are not secure within themselves any more than a bulletproof vest makes you bulletproof.

I have tried to come up with a number of analogies to explain what is wrong with relying purely on a firewall, but none explains it so clearly as this image that come through my inbox a day or two ago.


(This image arrived with no credit attached, if it is yours, add a comment so it can be credited properly)