I'm starting to experiment around with Java Web Start since applets have some limitations. I'm using Net Beans and it's working fine except that I get this pop-up when I run it:

The application's digital signature cannot be verified. Do you want to run the application?

It would be nice to have that not pop up. I just click "Run" since I know it's mine, but other people may not be willing to run it if they don't know me.

What do I need to do to have that not pop up? And what is the risk in running "untrusted" applications through Web Start. Everything is running in a sandbox, right, so the program can't damage anything even if it wants to, so does it really matter if the person running the program knows me or if I've been "verified"? Or am I naive or misinformed on this? Thanks.

I read following lines from java documentation about security element of jnlp.

Each application is, by default, run in a restricted execution environment, similar to the Applet sandbox. The security element can be used to request unrestricted access.

If the all-permissions element is specified, the application will have full access to the client machine and local network. If an application requests full access, then all JAR files must be signed. The user will be prompted to accept the certificate the first time the application is launched.

If security clause is omit from the jnlp file, an application will run in a restricted execution environment without prompting to accept the certificate.

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+">
        <homepage href=""/>
        <description kind="short">test1</description>

        <all-permissions  />

        <j2se version="1.5+"/>
        <jar href="http://localhost:8084/test2/test1.jar" main="true" download="eager"/>
    <application-desc main-class="test1.Main">

Thanks for the response. It's been really weird. I am not getting that pop-up anymore and I can't think of what I've done differently, I've cleared the cache, I've even uninstalled and reinstalled Firefox. No pop up warning. I'm just getting a text display of the jnlp file with Internet Explorer, and I'm getting errors when I'm uploading them online and trying to run them. I'm going to experiment a little and post back more info. I'm thoroughly confused and I think the browser is caching stuff so when I make changes, they aren't changed and I have to stop and restart Apache. Thanks again for posting. If/when I get to a place where I can actually formulate a follow-up question with more specifics, I'll post one. Right now I can't. :angry:

Actually, I think I can formulate a question. By "signed" and "trusted", is this referring to me purchasing a certificate from Verisign or somewhere else and registering with them for $500 a year, so people know I am really who I say I am and I am therefore "trusted"? Basically I just have my little website, I'm not selling anything, and I want to put up some little programs that solve the quadratic equation, play a game of Snake, stuff like that, stuff that I've been putting in applets so far. They aren't really programs that have any need to do anything on anyone's computer, save for possibly allowing a user to specify a file on their machine and allow the program to open it for data and write to an output file.

Signed means - a developer/creator of .jar file has attach a digital certificate and you know that a certificate contains the name, country, credentials, and expiry limit (days).

Now, if .jar file is not signed then a jvm warn that "this application is not signed" so I (jvm) declared this application as "Untrusted".

If .jar file is signed then jvm prompt to us - This application is signed and if you are agree with the application then I will store "digital certificate".

An application requesting unrestricted system access must be digitally signed. The first time a user launches such an application, a security dialog box will appear. Before running the application, Java Web Start will prompt the user to accept the digital certificate. After the user has accepted the certificate, subsequent invocations will not show the security dialog box.

Note:The JNLP 1.0 specification requires all JAR files used in a JNLP file to be signed by the same certificate.


OK, so it's basically confirming that the person who published this Jar file is definitely Vernon Dozier, not John Q. Hacker, and we have Vernon Dozier's name, phone number, and address on file so if there's any malware in the file, here's where you can find Vernon and sue him? Is that the idea? I would need to buy a certificate from a "trusted" authority like Verisign if any of my Web Start apps wanted to, say, change the file system?

This article has been dead for over six months. Start a new discussion instead.