2. Deploying XXE using Java™ Web Start, a step by step description

  1. Install a Java 1.6+ JDK (a JRE is not sufficient) on your computer.


    Make sure that the $JAVA_HOME/bin/ directory is referenced in $PATH because deployxxe needs to run command-line tools such as keytool and jarsigner.

  2. Install a fresh copy of the XMLmind XML Editor desktop application anywhere you want. Let's suppose you have installed it in /opt/xxe/.

  3. IMPORTANT: uninstall all the add-ons you don't need by using OptionsInstall Add-ons in XMLmind XML Editor - Online Help.

  4. Optionally install extra add-ons by using OptionsInstall Add-ons in XMLmind XML Editor - Online Help.

    Installing in-house add-ons

    You can install an in-house add-on (for example, an in-house configuration allowing to use XXE to edit proprietary XML documents) simply by copying its top-level directory to /opt/xxe/addon/.

    However if you do this, do not forget to clear the Quick Start cache (OptionsPreferences, Advanced|Cached Data section in XMLmind XML Editor - Online Help), then restart XXE. If you forget to do that, XXE will fail to see your in-house add-on.

  5. Test your copy of XXE by running it normally, as a desktop application.


    If you use the RenderX XEP plug-in, make sure that you have finished its installation by converting at least a document to PDF.

  6. Run XXE_install_dir/bin/deployxxe:

    $ deployxxe webstart /tmp/xxe_ws -codebase http://www.acme.com/xxe -index

    The above deployxxe command creates a directory called /tmp/xxe_ws/ and generates a number of files in it:

    • An XML file called xxe.jnlp specifies how XXE is to be deployed using Java Web Start.

    • Option "-codebase http://www.acme.com/xxe" specifies the location of the (virtual) folder containing a copy of /tmp/xxe_ws/ on the deployment Web server (www.acme.com in the above example). More about this below.

    • Option -index is used to generate a simple index.html in /tmp/xxe_ws/.

    • A number of JAR files (e.g. xxe.jar).

      When deployed using Java Web Start, XXE requires all permissions in order to run. That's why all the JAR files must be digitally signed using the same certificate.

      In the above command-line, which certificate to use is not specified. In such case, an automatically generated self-signed certificate is used to sign the JAR files. Such self-signed certificate cannot be used in production. You need to purchase an actual code signing certification from a certification authority such as VeriSign. Once this done you'll have to pass to deployxxe extra arguments similar to what follows:

      $ deployxxe webstart /tmp/xxe_ws -codebase http://www.acme.com/xxe -index \
          -storetype mycerttype -keystore myceratfile \
          -storepass mypassword -keypass mypassword -alias myalias
  7. Copy /tmp/xxe_ws/ to your deployment Web server. Let's suppose your Web server is www.acme.com. Let's suppose the XXE Web Start folder on this server is found in /usr/local/httpd/xxe/webstart/. Ssh example:

    $ ssh www.acme.com rm -rf /usr/local/httpd/xxe/webstart
    $ scp -r /tmp/xxe_ws  www.acme.com:/usr/local/httpd/xxe/webstart
    # Make sure that the files may be read by everyone
    $ ssh www.acme.com chmod a+rx /usr/local/httpd/xxe/webstart
    $ ssh www.acme.com chmod a+r '/usr/local/httpd/xxe/webstart/*.*'
  8. Configure your Web server to allow downloading the generated xxe.jnlp. Apache httpd example:

    1. Add the following MIME type to /etc/apache2/httpd/mime.types:

      application/x-java-jnlp-file    jnlp
    2. Add a similar snippet to /etc/apache2/httpd.conf:

      <Directory /usr/local/httpd/xxe/webstart>
        Options FollowSymLinks Includes
        AllowOverride All
        Order allow,deny
        Allow from all
      Alias /xxe /usr/local/httpd/webstart
    3. Restart Apache httpd:

      # cd /etc/rc.d
      # ./apache2 restart
  9. Tell all your future XXE users to download and install the most recent Java runtime. This will also automatically install Java Web Start.

  10. Tell all your future XXE users to visit http://www.acme.com/xxe (this will display the generated index.html) and to launch XXE from there, at least the first time.