ritschwumm / xsbt-webstart Goto Github PK

A Webstart plugin for sbt

License: BSD 2-Clause "Simplified" License

Scala 100.00%

xsbt-webstart's Introduction

!!! this project is obsolete !!!

A Webstart plugin for sbt

At the moment, this is only a rough draft, just enough to get my own
projects running. Let me know what you think.

To build this code, get and install SBT from
    https://github.com/sbt/sbt

Get and install these plugins before building:
    https://github.com/ritschwumm/xsbt-util
    https://github.com/ritschwumm/xsbt-classpath

Build and publish the plugin:
    git clone [email protected]:ritschwumm/xsbt-webstart.git
    cd xsbt-webstart
    sbt publish-local

Add the plugin to your project in project/plugins.sbt:
    addSbtPlugin("de.djini" % "xsbt-webstart" % <version>)

Include the plugin in your project's build.sbt:

    webstartGenConfig := Some(GenConfig(
        dname       = "CN=Snake Oil, OU=An Anonymous Hacker, O=Bad Guys Inc., L=Bielefeld, ST=33641, C=DE",
        validity    = 365
    ))

    webstartKeyConfig := Some(KeyConfig(
        keyStore    = file("my/keyStore"),
        storePass   = "password",
        alias       = "alias",
        keyPass     = "password"
    ))

    webstartJnlpConfigs    := Seq(JnlpConfig(
        fileName    = "my.jnlp",
        descriptor  = (fileName:String, assets:Seq[JnlpAsset]) => {
            <jnlp spec="6.0+" codebase="$$codebase" href={fileName}>
                <information>
                    <title>My Title</title>
                    <vendor>My Company</vendor>
                    <description>My Webstart Project</description>
                    <icon href="my_icon.png"/>
                    <icon href="my_splash.png" kind="splash"/>
                </information>
                <security>
                    <all-permissions/>
                </security>
                <resources>
                    <j2se version="1.8+" max-heap-size="192m"/>
                    { assets map { _.toElem } }
                </resources>
                <application-desc main-class="my.Main"/>
            </jnlp>
        }
    ))

    /*
    on osx this file must contain the line
    Permissions: all-permissions
    or the java security settings cannot be set to "very high"
    */
    webstartManifest    := Some(file("path/to/MANIFEST.MF"))

Once set up you can use the following tasks in sbt:

    webstart        creates a directory with a JNLP file and all necessary jar files
    webstartKeygen  creates a keyStore, fails if it already exists

xsbt-webstart's People

Contributors

Stargazers

Watchers

Forkers

sullivan- cessationoftime repos-sbt dhinojosa wedens karchie xuwei-k nigredo-tori dirkhillbrecht

xsbt-webstart's Issues

Publish binaries

Right now to use this plugin in a project one has to build it (and its dependencies) and install locally, or (in case of a team) to some private repository. This is ugly and painful - and raises the threshold for adoption.

Publishing to bintray or Sonatype is relatively straightforward, and will save your users a lot of trouble.

Delete the jar if sign or verification fail

Currently the jars are signed in-place in webstartBuildDir. If we get an error, the webstart task fails, but the jar itself remains in webstartBuildDir, unsigned. On the next webstart launch it is considered signed, and can get into the resulting artifact.

A simple solution for this would be to either remove the jar if sign or verification fail, or to sign and verify it in a temporary file, and only copy the result to webstartBuildDir once we know it is valid.

Remove characters, that can be URI-escaped, from JAR names

This is prompted by AdoptOpenJDK/IcedTea-Web#573. Apparently, IcedTea-Web "loses" jars from the classpath if they have been downloaded from a URL that includes escaped characters. This is obviously an IcedTea-Web's bug, but waiting until it is fixed, and until everyone involved upgrades, would take ages, so I think we should include a workaround in this plugin.

At the very least, we can factor out this part of code as a separate setting (e.g. webstart / mappings):

xsbt-webstart/src/main/scala/WebStartPlugin.scala

Line 116 in 7f171ef

 val assetMap = assets map { _.flatPathMapping } map (xu.pathMapping anchorTo buildDir) 

Better yet, we can get rid of any non-unreserved characters in the file names. I don't think that would break anyone's code - I'm yet to see anyone use a JAR with non-ASCII name - but the proposed webstart / mappings setting should at least make it possible for them to find a workaround if that happens.

sbt 0.11.0

Hi, do you have any plans to update the plugin for sbt 0.11.0? Thanks.

include metadata in manifest similar to sbt package

sbt package leaves useful metadata in the project jar (Implementation-Vendor, Implementation-Title, and especially Implementation-Version). none of this is present in the jar built by the webstart task. it would be really nice to have these (mostly to support package.getImplementationVersion)

Discard the cache after webstartKeyConfig or the keystore change

We've had to update our code signing certificate recently, and some of the previously signed JARs were not re-signed after this (because they haven't changed), leading to a botched application. It'd be nice if the caching logic considered webstartKeyConfig and the mentioned store file as one of the inputs, and invalidated the existing signed files when those changed.

Typo in README.md

The URL listed under "Build and publish the plugin" has a typo in the clone URL,

[email protected]:ritschwumm/xstb-webstart.git

instead of

[email protected]:ritschwumm/xsbt-webstart.git

readme

some more explanation about what you plugin is and what you can do with it would be helpful.

Allow using strict mode for verification

By default jarsigner warns about some problems, but doesn't treat them as warnings. For example, I've recently found that the root certificate for the TSA service I use is no longer in the standard cacerts file. However jarsigner verification and, consequently, xsbt-webstart, don't raise an error.

It should be possible to specify the -strict jarsigner option for verification. This can be exposed in the SBT API as either a separate Boolean setting, or as a Seq[String] setting with custom jarsigner options.

should support trusted timestamping

using -tsa argument to jarsigner

What does "obsoleted" mean?

Hi,

the project's README claims this project to be "obsolete". What does this mean?

The project is not needed any more as there is a superior alternative?
The author does not plan any further work on the project?
The project does not work under newer versions of sbt?
Some dependencies broke so this project cannot be built and used any more?

At least in certain environments Webstart deployments are still needed. Perhaps you can clarify why and in which way this project is "obsolete".

Best regards,
Dirk