How to Secure a NetBeans Platform Update Center
Many times I've been asked how to secure an update center of a NetBeans Platform application. If you're OK with "Basic authentication", it's dead simple—simply configure the server where your update center's XML and NBMs are hosted to use "Basic authentication". Then the user will be prompted for a login.
If you want to try, follow the sections described below.
Enabling Basic Authentication for an Update Center
In this section, you set up a scenario where "Basic authentication" is enabled for a NetBeans Platform application. You can use any NetBeans Platform application, such as the Paint Application (one of the NetBeans Platform samples in the New Project dialog), when taking the steps below.
- Follow the "Basic authentication" example of this tutorial: http://netbeans.org/kb/docs/web/security-webapps.html. However, change the URL pattern for the admin user to "/*/updates.xml".
- Afterwards, take one of your NetBeans Platform applications, right-click it in the Projects window, and select "Create NBMs".
- Switch to the Files window (Ctrl-2) and navigate to your application's "build/updates" dir.
- Take everything in there and copy it to your webapps "web" dir:
- Now run your webapp and see if you can access this URL:
The browser should show it to you only after you logged in correctly as the admin user.
You have now created an update center that requires "Basic authentication". So, in the next section, you are going to attempt to register that update center in the Plugin Manager of the applicaton.
Registering a Secure Update Center
When your users have the URL to the XML defining an update center, they can register it in their application's Plugin Manager. However, now you have set up the update center so that "Basic authentication" is enabled for it. Let's now pretend to be a user of the application, who has the URL of the update center and wants to register that in the application's Plugin Manager.
- Go to Tools -> Plugins.
- Switch to the "Settings" tab and click "Add". Add a new update center under this URL:
- When you confirm by clicking OK, the application should ask you for your credentials, before accepting the new update center:
- Even though when you enter a wrong password, the update center is registered in the application, the user won't be able to access any modules from it, until authentication has been successful:
If authentication fails, the user sees the following, while no modules will be made available for installation:
Silently Updating an Application with Basic Authentication
So, as seen above, if you reuse the Plugin Manager infrastucture from the NetBeans Platform, you're set, but let's now look at a variation on this theme, since many organizations don't want to make the Plugin Manager available to their users. For one reason, it's complicated for a "non-computer-person", and you can also easily mess things up, e.g., by accidentally uninstalling or deactivating stuff or when registering new update centers to install additional plugins. So NetBeans Platform engineer Jiri Rechtacek has, as an example, has published a module to illustrate silently updating your application.
You can easily reuse that code with "Basic authentication" as well. Just follow his example for using the silent update module. If you do that, the NetBeans Platform CRUD application will prompt you for your credentials during startup. If you don't want that, you need to find a way to dynamically encode the login in the update center URL. To try that, go to the Silent Updates Module and open the Bundle.properties file in org.netbeans.modules.autoupdate.silentupdate. Add username & password similar to this:
Now the updates will be silent again.