Josh and Java Web Start team,
I really hope that you guys can fix the main problems, as a former security consultant JWS makes perfect sense for the corporate environment it is a quick, hassle free way to deploy and update applications, and the JVM sandbox protection space is a much more secure environment than the majority of native operating system.
In the corporate environment the IT people can put up a intranet page teaching/training the staff, so people in the corporate environment will find nothing weird about the way JWS works they already have to memorize 11 passwords and face several pop-ups and password request, so a couple more is nothing to them.
On the other hand most end users (general public) don't work in a corporate environment, and even after being familiar with the way JWS works will find no advantage on the corporate/security features it brings over a native application.
One way to fix this would be to introduce Profiles to the JWS framework, with Profiles you could create a more friendly General Public Profile (that is not signed by a CA, and does not request filesystem access it is granted by default, recognizing system files that it cannot access, it behaves just like a normal native application the same rights the same duties).
And a second profile Corporate Profile (that is security conscious, requests for CA signature, has several versions in cache on the server/client, uses a catch-all service for data recovery, maybe use something like virtual partitions ala Solaris Zones/Containers, all sorts of corporate features).
I know that currently you have many fine-grain options, but they are all very restrictive, creating two Profiles that have very distinct and different targets would help in making JWS ready for General Consumption (making installers an obsolete technology).
Different targets should have different abilities (responsibilities and duties), and in this case the targeted audience is just to diverse, if being consulted I would recommend it with praise to any IT department as an effective way of deploying java applications, but if consulted on using JWS as a Public release target my recommendation would be a fat NO.
My view is that as of now JWS is a corporate technology not ready to be used outside of a Corporate environment, so not ready for Prime Time, i hope that in time something like I describe here finds it's way to the source tree, and i will study with attention the new additions and introductions of features.
I have watched thru out the years with great expectation the development of JWS (I love the idea, and I really think it would be an effective way to kill many deployment problems inherent to installer technology), I was expecting that the next version would be the one that brought the revolution to the masses, and every time I have been disappointed, still not ready for Prime Time is my conclusion. As of such it needs to be branded for what it is: a corporate technology, a great idea that works very well in a controlled environment, a pain to use outside that environment.
In the next version if not Mustang then Dolphin, rethink your target audience, make it general end user friendly, bring the revolution to the masses. It looks like Java will not be open sourced for a very long time so only you the JWS Team have the power to make it happen.
- This post is so long I decided to make it an Open Letter to the JWS Team; I hope it is seen as constructive criticism, I wish you all the best. |
java.net RSS Feeds
