Josh On Design

One of the things I love about Java is that I can quickly change things. With an army of libraries and Java's renowned platform independence I can quickly hack on a new feature or move code from the client to the server. A couple of days ago I showed off a webstart app with, umm, a few issues. I now proudly present :

WeatherWatcher : Release Deux

Java Web Start is a great technology. When it works the user experience is fantastic. Click on a link and the program starts. No installation. No configuration. Always up to date. And totally secure.

Unfortunately Java Web Start doesn't always work. It's getting better but there are some issues. Security is the most pressing problem. The JNLP spec (of which Web Start is an implementation) lets you select only one of two security levels: all and none. More importantly for most end users, if you download a signed app that requests all it will throw up a huge warning screen saying don't do it. Right there I've lost 50%+ of my audience.

So why does Weather Watcher even need local security permissions? Well the transparency effect requires low level AWT access. Accessing the live weather data requires network access to a server other than the application's host. I could drop the transparency effect but there's no getting around the network connection. That's the entire purpose of the application.

To solve this I've created two versions of Weather Watcher. The unsafe one works as normal. The safe one doesn't request full permissions and loses the transparency effect. To connect to the network I created a proxy JSP which just grabs the XML from the real server and reroutes it to the client. A bit slower and bandwidth wasting, but fine for casual use.

Safe version

unsafe version

The cool thing is that the two applications share the same code. The only difference is the JNLP file. One requests full permissions. The other requests no permissions and sets a proxy URL. Same app run in different ways, according to the user's wishes. Sounds like a win to me.

Web Start's Issues

My solution works pretty well but it's not a long term solution. I'd like to see three changes to Java Web Start (a few others as well, but that's for another day). These changes would pretty much solve the security issue.

1. Provide finer grained security privledges. Surely there is a middle ground between nothing and all. How about you let me specify exactly what APIs I need. Present that to the user and let them decide.
2. Request access at runtime instead of load time. Webstart should ask the user for permission when the program needs it rather than at install time. This is out the keyring in OSX works. Applications must ask the user for permission when the need arises. If the need never comes up the the user is never pestered.
3. A SocketService: Thanks to markswanson for bringing this to my attention. WebStart apps can ask for secure access to certain resources like files and printing through secure Services. There is no service for requesting network access though. Adding this service would solve a whole lot of problems. Check out Sun's bug on this topic.

Despite it's warts Java Web Start is a technology with great promise and should be used a lot more. I'm going to keep playing around with programs in the middle space between thick and thin clients, so keep tuned.

Other notes

archangel asked for international weather. I'm getting data from weather.gov, which is the US National Weather Service and only shows US locations. (maybe some territories?) If anyone has access to international weather feeds I'd be more than happy to add them.

My graphics are pretty crufty. If anyone has some images I can use (that we know are opensource compatible) I'll drop'em in.

misuasm said that the transparency effect doesn't always work on his platform and the screen capture is slow. It's pretty fast on my XP laptop though. What is the speed like on yours (not counting the fact that we need about 15megs of program just to check the weather. :)

Thawt Freemail provides certs (see this) but you have to build up a web of trust. registerfly also provides certs, but it's unclear if they work with the default root cert servers that ship with Java Web Start.