🟪 TommyBox is a single-file executable that makes it possible to launch web apps on a desktop.


🍥 TommyBox

License MIT Version 2.14.1 Powered by Tommy

TommyBox Demo App


TommyBox is a standalone executable container that makes it possible to launch static and dynamic web apps on a desktop by providing built-in server and browser functionality.
TommyBox is similar to Electron and NW.js.

An app can be provided as a directory or packed as WAR (or ZIP) archive that can contain JSP, servlets, and static stuff like CSS, JavaScript, etc.

Under the hood, TommyBox is built on top of Tommy web server and SWT browser widget. App can be packed as WAR or ZIP archive and can optionally contain PWA manifest, JSP, servlets and all static stuff like CSS, JavaScript files etc.

See TommyBox in action: https://github.com/xnbox/tommybox_demo


Latest release: tb-2.14.1.jar


  • Single cross-platform executable jar (starts from ~25Mb)
  • No dependencies
  • No installation
  • No own configuration files, instead, TommyBox uses standard standard PWA webmanifest and standard Tomcat configuration files
  • Operating systems:
    • Linux
    • macOS
    • Windows
  • Architectures:
    • x86_64
    • win32-x86_64
    • aarch64
    • ppc64le
  • Supports custom command line args, stdin, stdout, stderr
  • Configurable display modes:
    • in-window
    • in-browser
    • fullscreen
    • headless
  • Single and multiple windows modes
  • Optional custom splash screen
  • Optional custom context menu
  • Optional custom system tray icon with custom menu

Supported web apps:

  • WAR files
  • Web apps packed as ZIP archives (including standard password-protected ZIPs)
  • Exploded web apps (local directories)
  • Remote WAR / ZIP files (on HTTP servers)
  • Embedded WAR / ZIP files and directories

Command line:

java -jar tb.jar [options] [custom arg1] [custom arg2] ...

  --help                   print help message
  --app <file | dir | URL> run app from ZIP (or WAR) archive, directory or URL
  --password <password>    provide password (for encrypted ZIP (or WAR) archive)

Run app:

Run ZIP (or WAR) file:

java -jar tb.jar --app MyKillerApp.war

Run ZIP (or WAR) file with custom command-line args:

java -jar tb.jar --app MyKillerApp.war myparam1 myparam2 ...

Run ZIP (or WAR) from web server:

java -jar tb.jar --app https://example.com/MyKillerApp.zip

Run exploded web app from directory:

java -jar tb.jar --app MyKillerAppDir

Run password-protected ZIP (or WAR) archive:

java -jar tb.jar --app MyKillerApp.zip --password mysecret

Embed app:

  • Option 1. Copy your app content into the /app directory of the tb.jar.
  • Option 2. Pack your app as app.war or app.zip (the archive can be encrypted) and copy the archive to the root directory of the tb.jar.

Brand your app by renaming the tb.jar to the MyKillerApp.jar.

Run embedded app:

java -jar MyKillerApp.jar

Run embedded app with custom command-line args:

java -jar MyKillerApp.jar myparam1 myparam2 ...

Run password-protected embedded app:

java -jar MyKillerApp.jar --password mysecret

Run password-protected embedded app with custom command-line args:

java -jar MyKillerApp.jar --password mysecret myparam1 myparam2 ...

TommyBox specific PWA manifest keys:

Key Type Default value Description
display string standalone Standard PWA display mode.
Possible values:
minimized_window (non-standard)
maximized_window (non-standard)
desktop_area (non-standard)
headless (non-standard)
enable_fullscreen boolean true Allow fullscreen mode
tray_icon boolean true Tray icon
window_buttons array ["minimize", "maximize", "close"] Window buttons list.
Possible elements:
window_menu string none Window menu mode.
Possible values:
window_always_on_top boolean false Always on top window property
window_size string null Window size as string Eg.: 640x480
window_x number null Window location X coordinate (in pixels)
window_y number null Window location Y coordinate (in pixels)
strings array [] I18N dictionary for custom strings

TommyBox specific URL protocols:

Protocol Description HTML Example
home: Home action <a href="home:">Home</a>
back: Back action <a href="back:">Back</a>
forward: Forward action <a href="forward:>Forward</a>
reload: Reload action <a href="reload:">Reload</a>
quit: Exit to OS <a href="quit:">Exit</a>
minimize: Minimize window <a href="minimize:">Minimize</a>
fullscreen: Switch to fullscreen <a href="fullscreen:">Fullscreen</a>
open: Open the given URL in OS <a href="open:file://home/john/my.pdf">Open PDF</a>
open_in_new_window: Open the given URL in the new window <a href="open_in_new_window:http://example.com">Open in New Window</a>
open_in_browser: Open the given URL in the browser <a href="open_in_browser:http://example.com">Open in Browser</a>
java: Launch Java code <a href="java:javax.swing.JOptionPane.showMessageDialog(null, \"Hello, Java!\")">Launch Java Code</a>
js: Launch JavaScript code <a href="js:javax.swing.JOptionPane.showMessageDialog(null, 'Hello, JavaScript!')">Launch JavaScript Code</a>

Access to the custom command-line args and system streams programmatically (JNDI):

// ...somewhere in your Servlet or JSP

InitialContext ctx = new InitialContext();

/* get custom command-line args */
String[] args = (String[]) ctx.lookup("java:comp/env/tommy/args");

/* get standard input (stdin) */
InputStream stdin = (InputStream) ctx.lookup("java:comp/env/tommy/stdin");

/* get standard output (stdout) */
PrintStream stdout = (PrintStream) ctx.lookup("java:comp/env/tommy/stdout");

/* get standard error (stderr) */
PrintStream stderr = (PrintStream) ctx.lookup("java:comp/env/tommy/stderr");

/* get "--app" parameter value */
String app = (String) ctx.lookup("java:comp/env/tommy/app");

// ...


Q. My app failed with java.lang.ClassNotFoundException: javax.servlet.*

A. As a result of the move from Java EE to Jakarta EE, starting from v10, Apache Tomcat supports only the Jakarta EE spec. javax.servlet.* is no longer supported. Replace the javax.servlet.* imports in your code with jakarta.servlet.*.

Hdiv CE | Application Self-Protection

New to Hdiv? Check this out Hdiv: Application Self-Protection Hdiv is a leading provider of open source software for real-time, self-protected applica

Hdiv 203 Aug 12, 2021
Java JWT: JSON Web Token for Java and Android

Java JWT: JSON Web Token for Java and Android JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JW

null 7.8k Sep 12, 2021
Okta Spring Boot Starter

Okta Spring Boot Starter Okta's Spring Boot Starter will enable your Spring Boot application to work with Okta via OAuth 2.0/OIDC. Release status This

Okta, Inc 227 Sep 16, 2021
Unofficial Clubhouse web app client. For personal use only. It's a personal open-source project and not affiliated with any company.

Purpose of this web app That's a personal project and not affiliated with any company. This is the web client app to make your Club House experience b

Sergei Ovchinnikov 47 Aug 30, 2021
Jwks RSA - JSON Web Key Set parser.

jwks-rsa Install Maven <dependency> <groupId>com.auth0</groupId> <artifactId>jwks-rsa</artifactId> <version>0.17.0</version> </dependency>

Auth0 123 Sep 8, 2021
Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications)

BFAC - Burp Extension Burp Extension for BFAC (Advanced Backup-File Artifacts Testing for Web-Applications). What is BFAC - Burp Extension ? Backup fi

SEC-IT 15 Sep 10, 2021
Arkhota, a web brute forcer for Android.

Arkhota, a web brute forcer for Android What? Arkhota is a web (HTTP/S) brute forcer for Android. Why? A web brute forcer is always in a hacker's comp

ALW1EZ 32 Aug 30, 2021
A java implementation of Enigma, and a modern attack to decrypt it.

Java Enigma This is a Java implementation of an Enigma machine, along with code that attempts to break the encryption. This code is associated with an

Michael Pound 425 Sep 13, 2021
Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web appl

PAC4J 2k Sep 16, 2021
Auto reply app helping you move away from less private messengers like WhatsApp and Facebook Messenger

Watomatic - Auto reply for WhatsApp so you can stop using it Watomatic sends an automated reply to everyone contacting you on WhatsApp. This is especi

Deekshith Allamaneni 211 Sep 11, 2021
JSON Web Token (JWT) implementation for Java with support for signatures (JWS), encryption (JWE) and web keys (JWK).

Nimbus JOSE+JWT Nimbus JOSE+JWT is a popular open source (Apache 2.0) Java library which implements the Javascript Object Signing and Encryption (JOSE

Connect2ID 33 Aug 26, 2021
Password4j is a user-friendly cryptographic library that supports Argon2, Bcrypt, Scrypt, PBKDF2 and various cryptographic hash functions.

Password4j is a Java user-friendly cryptographic library for hashing and checking passwords with different Key derivation functions (KDFs) and Cryptog

Password4J 147 Aug 29, 2021
[Fabric Mod] Building Tools and Aesthetic Technology

Important Information This repo is for Create: Refabricated, a Fabric port of Create. This project is not complete, and we do not recommend using it y

null 121 Sep 5, 2021
An authorization library that supports access control models like ACL, RBAC, ABAC in Java

jCasbin News: still worry about how to write the correct jCasbin policy? Casbin online editor is coming to help! Try it at: http://casbin.org/editor/

Casbin 1.5k Sep 17, 2021
Java bytecode obfuscator with GUI

Bozar A Java bytecode obfuscator with GUI Usage Download the version you want in releases for your platform Run the executable. Done. Let me know if o

null 33 Sep 6, 2021
一个轻量级Web蜜罐 - A Little Web Honeypot.🍯🍯🍯🐝🐝🐝

Loki Releases下载:https://github.com/TheKingOfDuck/Loki/releases/tag/0.1 更新日志 20210107 实现多端口监听 20210103 实现动态配置相关页面 20210124 实现配置指定端口指向指定模板文件 20210131 捕获

鸭王 124 Sep 16, 2021
JAP is an open source authentication middleware, it is highly decoupled from business code and has good modularity and flexiblity. Developers could integrate JAP into web applications effortlessly.

?? JAP 是什么? JAP 是一款开源的登录中间件,基于模块化设计,并且与业务高度解耦,使用起来非常灵活,开发者可以毫不费力地将 JAP 集

Fujie 107 Aug 23, 2021
“火线~洞态IAST”是一款专为甲方安全人员、代码审计工程师和0 Day漏洞挖掘人员量身打造的辅助工具,可用于集成devops环境进行漏洞检测、作为代码审计的辅助工具和自动化挖掘0 Day。

洞态IAST 原"灵芝IAST",后更名为"洞态IAST",产品改为SaaS版,agent端采集与污点相关的数据并发送至服务器端,服务器端接收数据并重构形成污点方法图,再根据深度优先算法搜索污点调用链 项目介绍 “火线~洞态IAST”是一款专为甲方安全人员、甲乙代码审计工程师和0 Day漏洞挖掘人员

huoxian 481 Sep 12, 2021
Apache Shiro

Apache Shiro Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session

The Apache Software Foundation 3.6k Sep 2, 2021