Hi Stefan,
you basically answered your own question.
First of all: As you mentioned, you shouldn’t use any swing components in a headless client.
On your second question: Both solutions are valid AFAIK.
- adding it to trustedRemotePlugins, will resolve a possible future situation with other clients as well.
- in this case authenticating your client should also work.
I’d prefer adding to trustedRemotePlugins.