First, on #2, yeah, really cant do anything here. If they didnt do this way, it would be reported as another vulnerability in the JVM that they would have to patch.
On #1, this is actually an old problem that I had worked on this years ago and i even published the solution in javanet (remember that?). If there is any interest in this, i can revive the project since its been dead for nearly 10 years. (http://web.archive.org/web/20070724060104/https://launcher.d...)
Basically I had a custom classloader read the lib dir that worked similarly to tomcat's classloader. Dump any jars/wars/etc in there that you want. All you had to do was tell me where the main class was (because a lot of jars have testing Main built into it and i wouldnt know which one you wanted to run).
1. Launching Java Programs can suck
2. Java defaults to secure on https requests.
First, on #2, yeah, really cant do anything here. If they didnt do this way, it would be reported as another vulnerability in the JVM that they would have to patch.
On #1, this is actually an old problem that I had worked on this years ago and i even published the solution in javanet (remember that?). If there is any interest in this, i can revive the project since its been dead for nearly 10 years. (http://web.archive.org/web/20070724060104/https://launcher.d...)
Basically I had a custom classloader read the lib dir that worked similarly to tomcat's classloader. Dump any jars/wars/etc in there that you want. All you had to do was tell me where the main class was (because a lot of jars have testing Main built into it and i wouldnt know which one you wanted to run).