Javafx - Security concern while deploying App using Fxlauncher vs Java Web Start

Question

I have created a Tornadofx application and was looking to deploy it in production. For this I was considering two options:

1. Fxlauncher

2. Java web start

Fxlauncher seemed pretty easy to use and deploy with only gradle configurations and commands.
But my main concern is whether it is secure enough?
For example, In Java web start, I was reading through the documentations and found this :

Signing JAR Files Used in Java Web Start Java Web Start enforces a security sandbox. By default it grants any application, including application clients, only minimal privileges. Because Java Web Start applications can be so easily downloaded, Java Web Start provides protection from potentially harmful programs that might be accessible over the network. If an application requires a higher privilege level than the sandbox permits, the code that needs privileges must be in a JAR file that was signed. When Java Web Start downloads such a signed JAR file, it displays information about the certificate that was used to sign the JAR, and it asks you whether you want to trust that signed code. If you agree, the code receives elevated permissions and runs. If you reject the signed code, Java Web Start does not start the downloaded application.

Basically, signing of jars is one of the key concerns while using Java web start and JNLP ; But with Fxlauncher, I was not able to find any such requirement or standard to do so.
So how does Fxlauncher handle such security issues?
Currently, using the fxlauncher, I am able to read/write files from/to my client's machine. Is this ok without jar signing ?

FYI, I haven't practically used Java web start, was just reading through Oracle guidelines.
Refrences:

Signing JAR Files Used in Java Web Start

Understanding Signing and Verification

Answer 1

There is definitely a security concern.

You can use my spinoff framework update4j, very similar to fxlauncher but way superior. It has a signature verification feature.

Answer 2

You can run the JNLP / WebStart command to launch your signed application. You'll need to sign any libraries with the same certificate or cordon them off into separate .jnlp files.

As far as a native install experience, take the signed and sandboxed WebStart app here:

https://www.bekwam.net/sortme/sortme.jnlp

Since the WebStart plugin doesn't allow you to pull up the apps directly anymore, you can capture a native running experience by doing something like this.

$ alias sortme='javaws https://www.bekwam.net/sortme/sortme.jnlp'

This allows you to type "sortme" from a command line and run the app. If you want to go further, you can do add a file called sortme.desktop (for Ubuntu). This lets you double-click on an icon or access this from the launcher.

[Desktop Entry]
Version=1.0
Type=Application
Name=Sort Me
Exec=/opt/jdk1.8.0_141/bin/javaws https://www.bekwam.net/sortme/sortme.jnlp
StartupNotify=false
OnlyShowIn=Unity;
X-BAMFGenerated=true

This deployment lets you take advantage of a content delivery network (CDN) to serve up your JNLP and JAR files from a super-fast download server. You provide in your install scripts the "last mile". You'll get all the assurance of a signed app and even a sandboxed version if it's feasible.

Answer 3

FXLauncher ultimately creates an installable native application using the javapackager utility. You could say that security concerns are moved up one level from the JVM to the OS, if you will. Hence, you should treat an application packaged with FXLauncher the same way you would treat any other native application.

The Gradle plugin currently doesn't expose the ability to sign your application bundle, but you could do that separately until the plugin catches up. Signing the application gives your end users confidence that you are who you say you are and improves the installation experience by replacing the security warning with a dialog that presents your identity instead.

Bottom line: When you install any native application you are basically at the mercy of the developer to some extent, and this is just as much true for FXLauncher packaged applications.