JavaTM Web Start 技术

http://java.sun.com/javase/technologies/desktop/javawebstart/1.2/zh/docs/Readme_zh_CN.html

 

An introduction to Java Web Start

<!-- title box ends --><!-- objective box begins -->

Abstract

This article discusses the Java Web Start deployment technology in terms of its architecture, underlying specification, and security model.

<!-- objective box ends --><!-- content box begins -->

What is Java Web Start?

Java Web Start is a client application deployment technology – developed by Sun Microsystems – that enables Java-based applications to be deployed and maintained over the Web. It's designed to provide easy, one-click activation of these applications – a user opens a web page with a browser, clicks a link, and the application seamlessly installs itself on the user's machine and launches itself. From then on, the application will automatically check for updates each time it is launched, so long as there is an active Internet connection. In this way, Sun hopes to eliminate complicated installation and upgrade procedures that have been traditionally associated with distributing software across the Web.

Two ways to deploy software

As you have probably experienced, the conventional method for installing software from the Web requires a lot of effort on the part of the user. First you have to find the installer on the Web, download this installer, and execute it, specifying various different options for the installation directory and so on. Then you have to launch it. For your trouble, you usually get a rich, fully featured application – but you have to repeat the whole process if you want any updates.

Contrast this process with that for browser-based applications, such as your favorite browser-based e-mail client. Installing these applications is as easy as clicking a link – the browser takes care of everything else. And you are guaranteed to be always running the latest version. At the moment, however, these applications typically offer fewer features than locally installed, "packaged" software, such as a word processor, a spreadsheet program, or a graphics manipulation tool.

Java Web Start – a combined approach

Java Web Start is Sun's attempt to combine the ease of use of browser-based applications with all the features of more traditional programs. Just like a browser-based application, Java Web Start applications are installed with one click using a browser. However, unlike browser-based clients, Web Start applications

• have a rich, highly interactive user interface, comparable to conventional packaged software
• can be launched independently of a browser and do not necessarily depend on an Internet connection to work effectively
• can be used offline

So Java Web Start applications are Java-based programs, much more similar to traditional packaged applications, such as a word processor, than they are to typical browser-based software, such as an e-mail client. You may be wondering if these applications are in some way related to Sun's more famous client-side innovation – Java applets. The answer is definitely no – Web Start applications are completely different to applets, which, as you may remember, cannot run outside the browser and are downloaded each and every time they are required.

Architecture

Let's take a closer look at how a Java Web Start application works, as illustrated in this diagram.

<!-- picture box begins -->

 

<!-- picture box ends -->

Java Web Start architecture

The first step is when the user clicks on a link, and the browser starts up Java Web Start technology, as indicated by the display of the splash screen. Then the technology checks if all the resources for the application are already present on the client, and, if no update is required, the application is launched immediately. If the application is not installed, a new version is required, or if specific Java Web Start software is required, the technology will automatically download the required resources from the Web and then launch the application. All of this happens, remember, "behind the scenes" – from the user's perspective, one click launches the application. Once installed, the application can be invoked independently of the browser and can be used off line.

In many ways, Java Web Start applications work in a similar way to common helper applications, such as Adobe Acrobat Reader or RealOne Player. When you click a link to a PDF document, Acrobat Reader is automatically installed – if necessary – and invoked. And you can read documents offline.

J2EE clients

Java Web Start applications are designed for use in those situations where it's important that software installation and upgrading is easy, but an HTML-based front end would be inadequate. For example, Java Web Start can be used to deploy clients for Java 2 Platform, Enterprise Edition (J2EE) systems, as J2EE application clients can – with some minor modifications to the existing code – be deployed as Web Start applications. So if you are a J2EE developer, Java Web Start provides you with a fast, efficient method of distributing rich clients to remote machines.

Under the hood – the JNLP

Java Web Start is the reference implementation of the Java Network Launching Protocol (JNLP) specification, in the same way as the Java 2 Software Development Kit, Enterprise Edition (J2EE SDK) is the reference implementation of the J2EE. So the JNLP specification is the basis of Java Web Start. It includes a definition of the application model, a standard execution environment for Web Start applications, and a provisioning protocol that describes how to package an application for web deployment.

The application model

The JNLP specification defines a web-centric application model, with no installation phase, which provides transparent and incremental updates, as well as incremental downloading of Web Start applications. This is similar to the model for HTML pages and Java applets, but with greater control and flexibility.

A standard execution environment

The standard execution environment, which is defined in the JNLP specification the Java Web Start runtime – must be installed before Java Web Start applications can run on client machines. This runtime is now bundled with the Java 2 SDK and the Java Runtime Environment (JRE). It may be already installed on Windows machines – look for a Java Web Start icon on your desktop. There should also be an entry for Java Web Start in the Start - Programs menu. Linux and Solaris users need to run an additional script that comes with the SDK. Alternatively, clients can install the full Java Web Start package, which includes the JRE.

The provisioning protocol

The key component of the provisioning protocol is the JNLP file, which is a special launch file for Java Web Start applications, written in XML. It's the file that the <a href> tag points to in the launch web page – clicking this link causes the browser to launch Java Web Start, which then takes care of installing, updating, and launching the application. The JNLP file describes the application, specifying all its Java Archive Files (JAR) files and any additional utilities it requires. Every Web Start application must have a corresponding JNLP file, and the easiest way to create it is to adapt an existing file. The developer's guide for Java Web Start includes a sample JNLP file and describes its structure and syntax in more detail.

Security concerns

The process of downloading code from a server and running it on a remote client clearly raises important security issues, so security is a key consideration of the Java Web Start design. There are two security modes, as illustrated below – Web Start applications can be launched in the Web Start "sandbox" or they can be granted unrestricted access to your system.

<!-- picture box begins -->

 

<!-- picture box ends -->

The Java Web Start security model

The Web Start sandbox

All Java Web Start applications are, by default, launched in a secure "sandbox" – a secure environment where there are strict limitations on what system resources the application can access. This concept was originally associated with applets, but the Web Start sandbox is more flexible, as it includes APIs that allow an application to import and export files from the local disk under the user's control, even if that application is running in the secure sandbox. You may be thinking that allowing Web Start applications such access presents an unacceptable risk, but it's important to remember that these operations are rendered by Java Web Start, and not by the application itself. Also, if an application requests read or write access to the disk, a dialog box is displayed by default, explicitly requesting permission for these actions.

<!-- picture box begins -->

 

<!-- picture box ends -->

A Web Start read/write alert

In fact, this support is similar to what you can do in HTML, using file input fields and the "Save As" option available in most browsers.

Unrestricted access

A Java Web Start application can also be granted unrestricted access to the client system, provided it is digitally signed – that is, the JAR files containing the code are signed with a certificate that can be validated against a set of trusted root certificates. These are typically the root certificates from Certificate Authorities (CAs) such as VeriSign and CyberTrust.

A dialog box will be displayed the first time a user launches a Web Start application that requests unrestricted access to the system.

<!-- picture box begins -->

 

<!-- picture box ends -->

Unrestricted access warning

The information displayed here will depend on the status of the certificate used to sign the code. In this case, the certificate signed by imagenie.com can be validated with the trusted root certificate from VeriSign, so you would normally install the application, provided you trust imagenie.com. However, if the certificate cannot be validated against any trusted root certificate, a message such as "Warning: Failed to verify the authenticity of this certificate. No assertions can be made of the origin or validity of the code" will be displayed. Unless you are using a self-signed certificate, you should not install the application as it may contain malicious code.

The bottom line

As a deployment technology, Java Web Start does have some real advantages, including

• one-click deployment of applications for end users over the Web
• applications are richer, more fully-featured than browser-based programs
• Web Start applications can be used offline, as an Internet connection is not required
• any updates are automatic
• it's easy to deploy existing Java applications with Java Web Start – just as it is easy to convert a Web Start application to a standalone Java application

However, Java Web Start is not perfect. The major disadvantage is the high first-time activation cost. When you use any Web Start application for the first time, the entire application has to be downloaded and cached to your local disk, which will take an appreciable amount of time on a dial-up connection. If you have never used a Web Start application before, you may have to download the runtime environment as well. This may take even longer to download than the application itself, although you'll only have to do this once. In contrast, browser-based applications are ready in the same amount of time it takes to load the web page – typically a few seconds.

A related issue is the amount of time it takes to download the updates for Web Start applications. Ideally, these updates should be quite compact, but in some cases they can be almost as large as the original application, which means they will take almost as long to download. Another, albeit minor, drawback is that deployment of Web Start applications requires configuration of the JNLP MIME type at the web server, and, in some cases, at the client's browser (although installing the runtime does make the necessary changes to the most recent versions of Internet Explorer and Netscape Navigator). Neither of these tasks is necessarily under a developer's direct control.

So Java Web Start is a great way to distribute and install your Java applications, but it can cause some problems, particularly for those users with slow Internet connections.

<!-- summary begins -->

Summary

Java Web Start is a deployment technology that enables Java-based applications to be deployed and maintained over the Web. It's an attempt to combine the ease of use of browser-based applications with all the features of more traditional programs.

By default, Java Web Start applications are launched in a secure "sandbox" – a secure environment where there are strict limitations on what system resources the application can access. The Web Start sandbox is more flexible than the more familiar applet sandbox, as it does allow applications restricted access to the local disk. However, these operations are rendered by Web Start itself, not by the application, and are in fact similar to what you can do in HTML.

A Java Web Start application can also be granted unrestricted access to the client system, provided it is digitally signed with a certificate that can be validated against a set of trusted root certificates.

Java Web Start offers many real advantages to developers, such as one-click deployment of client applications over the Web and automatic update of these applications. However, the first-time activation cost is high. The first time a Web Start application is invoked, all the code must be downloaded and cached to disk, which will take an appreciable amount of time on a dial-up connection. The updates can be quite large, which can cause problems for users with slow Internet connections.