Win a copy of Java Mock Exams (software) this week in the Programmer Certification (OCPJP) forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to build, locally sign and deploy a JRE 1.7 applet as part of a jsp/Servlet app using JNLP

Gerry Krupka
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How to build, locally sign and deploy a Java JDK/JRE 1.7 applet as part of a web application
using the Oracle-recommended Java Network Launch Protocol (JNLP) script method.

I could not find a definitive step-by-step flow on how to do this,
so I have quilted together a streamlined patchwork of recent Oracle document directives to arrive at
the minimal setup necessary to setup, build, locally sign and deploy a complete, working example.
it is not a simple process but the description below is optimal for my implementation/example,
based on trial-and-error testing.
I hope the below will save you time and will eliminate some confusion re the overall process
and will be a useful recipe in your tech cookbook.
Eclipse gurus can probably define build commands and configurations to further reduce some
of the manual processes.
(i.e. commands to sign, file copying, direct deploy to the webserver, etc.).

The software for this example is not provided but rather is given as a template example for your own implementation.

Eclipse Kepler w/ Java EE IDE on your PC, Java JDK/JRE 1.7, tomcat 6 webserver running on UNIX/LINUX,
Oracle-recommended Java Network Launch Protocol (JNLP) script method to launch an applet,
Oracle client for database interaction from the applet.

it is expected the user of this document is familiar w/ jsp/Servlet development, file management
and tomcat deployment, and has some understanding of Eclipse.

Application overview for this example:
a jsp/Servlet web application named fdeweb, built, exported and deployed to tomcat via a war file;
fdeweb.war includes a poe_cust.jsp page used to launch an applet named orderentry;
fdeweb is defined in Eclipse as a Dynamic Web Application Project type.

the orderentry applet and its packaged utility class files are managed in a separate Eclipse
(simple) Java Project type named oeapplet;
the orderentry applet is built into a jar file named oeapplet.jar;
oeapplet.jar includes the build of a package of utility java classes used by the orderentry applet;
after being built and signed resulting in signedoeapplet.jar,
signedoeapplet.jar is copied into the file tree WebContent directory of the fdeweb Project in Eclipse
and is exported and deployed as part of the fdeweb web application.

to review, an applet named orderentry along with a package of utility classes is being built into a
jar file named oeapplet.jar;
oeapplet.jar will be manually signed with a local webserver certificate, becoming signedoeapplet.jar,
and will be copied into an Eclipse Project named fdeweb;
fdeweb is a jsp/Servlet application built, exported and deployed as fdeweb.war to a tomcat webserver;
fdeweb[.war] includes a poe_cust.jsp page that invokes the orderentry applet via the Oracle-recommended JNLP script method.

The Eclipse oeapplet (simple) Java Project contains:
+ the orderentry Java applet source file (;
+ the orderentry Java utility class package source files invoked by the orderentry Java applet;
+ a mymanifest.txt file that contains jar file manifest attributes needed for proper download and execution of
the orderentry Java applet; while mymanifest.txt is stored in the oeapplet Project in Eclipse,
Eclipse does not automagically do anything with this file;
it must be manually integrated into the oeapplet.jar file after oeapplet.jar’s auto-build and Export
from Eclipse; instructions on how to do this are discussed below;
for the example orderentry applet, the property definitions required were:

Permissions: all-permissions
Codebase: *
Application-Name: Orderentry Applet
Main-Class: orderentry

the Main-Class property must match the applet main class name;
you may want to limit the specific Permissions to those required by your applet
(i.e. essentially, the ones the browser complains about when execution fails;
I am carpetbombing here, allowing everything, since this was for an intranet site)
+ an orderentry_applet.jnlp file that contains the JNLP directives for launching the orderentry Java applet;
content for this example is:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="/fdeweb" href="">
<title>Orderentry Applet</title>
<vendor>Lemonade stand</vendor>
Application Resources incl. how to pass values for parameters of the applet-desc launch tag
and param[eter] tags to pass values for parameters expected by the orderentry applet;
the orderentry applet requires a db parameter and a UserId parameter
<j2se version="1.7+" href="" />
<jar href="signedoeapplet.jar" main="true" />
<jar href="signedojdbc6.jar" />
<applet-desc name="Orderentry Applet" main-class="orderentry" width="300" height="200">
<param name="db" value="prd"/>
<param name="UserId" value="bumble"/>
<update check="background"/>

The Eclipse fdeweb Dynamic Web Application Project contains:
+ a collection of jsp pages and Servlets unrelated to the orderentry application,
but this would be common; would anyone create a website for just one java applet?
+ the signed oeapplet.jar file discussed above;
+ a signed version of Oracle client ojdbc6.jar, because the example applet accesses an Oracle database;
+ a poe_cust.jsp page to invoke the orderentry applet via the Oracle-recommended JNLP script;
content for this example is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<%@ page language="java" import="java.util.*;" %>
<META content="text/html; charset=unicode" http-equiv=Content-Type>
<META NAME="GENERATOR" Content="MSHTML 5.00.2314.1000" >
<script src="">
var attributes = {code:'orderentry', width:300, height:200};
var parameters = {jnlp_href:'orderentry_applet.jnlp'};
deployJava.runApplet(attributes, parameters, '1.7');`

+ a replicated copy of the oeapplet Project orderentry_applet.jnlp file.

Why is signing needed for this applet?

As browsers and the Java Runtime Engine (JRE) have evolved, an increasing level of security is being enforced
on applet execution.
With JRE 1.7, an applet, and any software invoked by the applet that requires execution beyond the applet’s browser
execution sandbox, requires all involved software to be signed.
This ensures attempts by the browser to execute software on or through the server have been sanctioned for execution
as part of the applet configuration.
Applet signing is needed for this example because orderentry issues Oracle database statements from the client browser,
and invokes web pages/Servlets on the server it was launched from.

Creating a local certificate for signing applets and libraries.

Local certificates can be created using the UNIX/LINUX keytool command.
Search the internet for any discussion re the keytool command for more info.
For the instructions below, the name of the UNIX/LINUX webserver running tomcat is web
and the account defined for managing the webserver configuration is applweb.

The command specifically run to create the local certificate with the applweb account on web was

keytool –genkeypair –alias fdewebkey –validity 3650

The keytool –genkeypair command was run in applweb’s $HOME;
note the alias entered; this is needed later as the key to sign content;
the value passed to the validity parameter defines the number of days until key expiration
(10 years in this example).
During its execution, you will be prompted by keytool to enter a series of keywords appropriate
for your environment.
The most important keyword is the password. You will need to know this later in order to sign content.

Ready to go ...

Here is the definitive list of steps necessary to build and deploy the fdeweb web application
serviced by tomcat running on a webserver named web.
The orderentry applet ultimately invoked by the poe_cust.jsp of the fdeweb application
is included in the fdeweb deployment.

1. Here is text representation of what Eclipse would look like for this example.
Initially, the orderentry_applet.jnlp, signedapplet.jar and signedojdbc6.jar files would not be
part of the fdeweb Project but would eventually be added as the step-by-step process is followed.
Hence, I am reflecting them below.

Project Explorer (view)
>>>(default package)
>>JRE System Library (JavaSE-1.7)

2. In Eclipse, hover over the oeapplet Project and right-click Export … JAR File => Next.

3. Select oeapplet as the resource to export; identify a directory to export to.
Define a fileshare that will allow you to easily ftp or copy the file to the webserver
in order to sign the applet with a local certificate on that server.
The jar filename being created in this example is oeapplet.jar.

The next steps detail how to sign the oeapplet.jar file.

4. Logon to the web machine as applweb.

5. Copy oeapplet.jar to applweb $HOME on the webserver from wherever the oeapplet file was saved by the Eclipse Export.

6. Copy META-INF/mymanifest.txt from the oeapplet Project to applweb $HOME.

7. Eclipse Kepler does not automatically add property definitions in mymanifest.txt into
the oeapplet.jar META-INF/MANIFEST.NF file;
however, this is necessary in order for the orderentry applet to be run;
the command to integrate the mymanifest.txt property definitions into the META-INF/MANIFEST.NF file is:
jar ufm oeapplet.jar META-INF/MANIFEST.NF mymanifest.txt

after running the command above,
to ensure the mymanifest.txt info was properly appended to META-INF/MANIFEST.NF,
copy oeapplet.jar to a different directory and run
jar xvf oeapplet.jar META-INF/MANIFEST.MF

you may want to view the updated file to verify the mymanifest.txt properties have been included in MANIFEST.MF;

8. Run the following command as applweb and in applweb's $HOME to sign the applet:
jarsigner -signedjar signedoeapplet.jar oeapplet.jar fdewebkey
[enter password when prompted]
The jarsigner command as defined in this step uses the local certificate fdewebkey previously created
by the applweb UID on web.

Having completed signing …

9. Copy signedoeapplet.jar to a fileshare that will allow you visibility to the file
in order to be able to copy it into the Eclipse fdeweb Project.

10. Copy the signedoeapplet.jar into the fdeweb Project => WebContent folder.

11. Note: the example orderentry applet includes Oracle database activity;
therefore, the Oracle java client library would have to be signed in similar fashion
and copied into the fdeweb Project as well;
this is not a necessity; it was only included to illustrate if the applet includes other jar libraries
that invoke actions restricted beyond the browser environment of the applet,
those libraries also need to be signed in order to allow invocation by the applet;
in this example, the Oracle ojdbc6.jar client library was signed similar to oeapplet.jar on web,
resulting in signedojdbc6.jar, and was copied into the Eclipse fdeweb Project => WebContent folder.

12. Replicate the oeapplet Project orderentry_applet.jnlp file into the Eclipse fdeweb Project => WebContent folder.

13. Hover over the fdeweb Project and Export => WAR file
Web project: fdeweb
Destination: <see below discussion*>
* Define a fileshare that will allow you to easily ftp or copy the file to the web webserver.
Name the file fdeweb.war

14. Copy fdeweb.war to a location on the web machine for deployment.
The example below expects the fdeweb.war file to be in applweb’s $HOME directory on web
and uses standard ootb tomcat browser URLs to first undeploy the existing war file (if it exists) and then deploy the new version:

undeploy: http://web:8080/manager/undeploy?path=/fdeweb
deploy: http://web:8080/manager/deploy?path=/fdeweb&war=file:$APPLWEBHOME/fdeweb.war

What are you doing? You are supposed to be reading this tiny ad!
the new thread boost feature brings a LOT of attention to your favorite threads
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!