Does Java Web Start require that the Java browser plug-in is enabled?

Asked 14/7, 2015 at 7:36 Answered 23/7, 2015 at 6:38

Solved java security applet java-web-start jnlp

To protect our users from maliciuos applets I wanted to disable the Java browser plug-in.

In a test (JRE 7) I noticed that deactivating the plug-in also disables Java Web Start. We need to use one Web Start application so it seems that we have no choice than keeping the browser plug-in enabled.

Is this correct, or is there a way to use Web Start without enabling the browser plug-ins?

Test steps:

in a command window I enter the following command

javaws https://example.com/path/to/webstartapp.jnlp
the following error box appears:

error box

Its message translates to

This application could not be downloaded because Java over Internet is deactivated. You can activate Java on this system over the Java Control Panel

I have not seen an option to activate "Java over Internet" in the Java Control Panel. When I enable the browser plug-in, the Java Web Start application can be launched.

The same error message appears if I execute a local copy of the JNLP file

jawas <path to local jnlp file>

The jnlp file (slightly cleaned up):

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="https://example.com/path/to/" href="webstartapp.jnlp">
    <information>
        <title>...</title>
        <vendor>...</vendor>
        <homepage href="..." />
        <description>...</description>
        <description kind="short">...</description>
        <description kind="tooltip">...</description>
        <offline-allowed />
    </information>
    <security>
        <all-permissions />
    </security>
    <resources>
        <j2se version="1.7+" initial-heap-size="128m" max-heap-size="256m" />
        <jar href="Client/lib/Launcher.jar" main="true" />
    </resources>
    <application-desc main-class="com.veda.launcher.Start">
        <argument>...</argument>
        <argument>*</argument>
    </application-desc>
</jnlp>

Blowup answered 14/7, 2015 at 7:36 Comment(4)

Is the Java webstart hosted as a JNLP that can be downloaded and executed independent of the browser? That does not require an enabled java plugin – Dorinedorion 14/7, 2015 at 8:54

@ringbearer see my edit and the jnlp file, it looks like offline execution is permitted – Blowup 14/7, 2015 at 9:17

@Blowup so if you can download the jnlp seperately than it won't be executed in the context of the browser, so you don't need the plug-in to be activated. This has nothing to do with offline execution though. – Subtilize 16/7, 2015 at 21:25

@haywire the same error message appears when I execute jawas <path to local jnlp file> – Blowup 23/7, 2015 at 6:20

AFAIK, the "Enable Java content in the browser" checkbox on the Security tab of the Java Control Panel is controlling BOTH applets and web start. Indeed, on Mac, the equivalent checkbox is called "Enable applet plug-in and Web Start applications".

Therefore, it's unlikely that you can accomplish this via the Java Control Panel. However, you might be able to leave the global Java setting ON in the Control Panel and disable Java individually in each browser.

Ratal answered 22/7, 2015 at 10:25 Comment(1)

This label in Java Control Panel is misleading. Unchecking “Enable Java content in the browser” also prevents starting a local JNLP file via Java Web Start -- having obviously nothing to do with the browser! There should be two buttons instead ... – Quaternion 11/3, 2016 at 9:0

Try this Link here which talks of running a jnlp file outside a browser. You need java to run a jnlp file and since you have disabled the java plugin in browser, it may not run the app from browser.

Sheave answered 20/7, 2015 at 8:23 Comment(3)

it may not run the app from browser - why do I have to enable the browser plug-in if I do not want to run the app from the browser? p.s. the link in your answer is broken – Blowup 20/7, 2015 at 10:9

My bad, I just edited the link? You do not want to run app from browser then don't enable it in browser. Just save the jnlp file and run as mentioned in the link – Sheave 21/7, 2015 at 4:14

Just save the jnlp file and run as mentioned in the link - the same error message appears when I enter jawas <path to local jnlp file> – Blowup 21/7, 2015 at 7:59

It seems that there is a more fine-grained option than to allow Java being executed in a browser context and relying on every browser disabling Java separately:

Java Deployment Rules let you specify towards the Java runtime which URLs should Java be allowed to execute code from. This way, you don't have to care how the users have their browsers configured. Java Deployment Rules seem to be the "managed" counterpart (think: group policy) to the Exception Site List that you can see in msj121's answer.

To me, this seems to be the most secure option, since you can centrally define that only the URL of the one JWS application you mentioned may be executed, and all other JWS applications or applets will be blocked.

Easiness answered 23/7, 2015 at 6:38 Comment(0)

Yes, I understand the checkbox does affect both plugins and webstart.

Two options I see:

You can see that you can increase the security permissions to try and make sure malicious software can't be run though by having certificates. Select Very High, and if you need your code to ever run in the browser add it to the exception list.
Change each browser to deny java in browser individually. Though this won't work for IE as far as I know.

Disable the Java content in the browser

Internet Explorer

The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel as noted above.

Chrome

Click on the Chrome menu, and then select Settings.
At the bottom of Settings window, click Show advanced settings Scroll down to the Privacy section and click on Content Settings.
In the Content Settings panel, scroll down to the Plug-ins section.
Under the Plug-ins section, click Disable individual plug-ins.
In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
Close and restart the browser to enable the changes.
Note: Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

Firefox

From the Firefox menu, select Tools, then click the Add-ons option
In the Add-ons Manager window, select Plugins
Click Java (TM) Platform plugin to select it
Click Disable (if the button displays Enable then Java is already disabled)

Safari

Choose Safari Preferences
Choose the Security option
Select Allow Plug-ins, then click on Manage Website Settings
Click on the Java item, select Block from the pulldown list When visiting other websites
Click Done, then close the Safari Preferences window

Changing the preferences system wide for java in browser:

In the Java Control Panel, click the Security tab.
Select the option Enable Java content in the browser.
Click Apply and then OK to confirm the changes.
Restart the browser to enable the changes.

Lentil answered 23/7, 2015 at 1:1 Comment(0)

Recommended topics

Hot tags