This implementation supports the requirement to "sign" a JNLP document by including it in a signed JAR so the Java Web Start client can verify that the JNLP delivered is the correct document (as compared to the copy in the signed JAR delivered to the client).
Most signed JARs served by the Java Web Start support in GlassFish are created on-disk by signing their unsigned counterparts once. Then the on-disk signed JAR is served when the client asks for the JAR. The main JAR has to be handled differently to meet the Java Web start security requirements. The signed copy of the main JAR is created on-the-fly by signing the unsigned JAR's contents plus the previously-generated JNLP. The signed output is sent directly to the HTTP response's output stream rather than creating a temporary file.
We cannot create the signed main JAR once and for all because the JNLP document which launches the app might change from one invocation to the next, particularly regarding command-line arguments which appear in the JNLP as
|
|