Java Web Start Security
Java Web Start Security
Java Web Start (JWS) is a full-fledged Java application that allows Java client applications to be deployed, launched, and updated from a Web server. It provides a mechanism for application distribution through a Web server and facilitates Java
JWS Security Model
Typical to a stand-alone Java application, JWS applications run outside a Web browser using the sandbox features of the underlying Java platform. JWS also allows defining security attributes for client-side Java applications and their access to local resources, such as file system access, making network connections, and so on. These security attributes are specified using XML tags in the JNLP descriptor file. The JNLP descriptor defines the application access privileges to the local and network resources. In addition, JWS allows the use of digital signatures for signing JAR files in order to verify the application origin and its integrity so that it can be trusted before it is downloaded to a client machine. The certificate used to sign the JAR files is
When downloading signed JARs, JWS displays a dialog box that mentions the source of the application and the signer's information before the application is executed. This allows users to make decisions regarding whether to grant additional privileges to the application or not. When downloading unsigned applications (unsigned JARs) that require access to local resources, JWS throws a "Security Advisory" dialog box
Signing a JWS application is quite similar to the steps involved in signing an applet, as we saw in the previous section. To sign a JWS application for production, you must obtain a certificate from a certificate authority such as VeriSign and Thawte. For testing purposes, you may choose to use the key management tools provided with the J2SE bundle. JNLP Settings for Security
To deploy a JWS application, in addition to JAR files, adding a .jnlp file is required. The JNLP file is an XML-based document that describes the application classes (JAR files), their location in a Web server, JRE version, and how to launch in the client environment. The client user downloads the JNLP file from the server, which automatically launches the JWS application on the client side. The JNLP file uses XML elements to describe a JWS application. The root element is tagged as
<jnlp>
, which contains the four
To enforce security, the
<security>
element is used to specify the required permissions. The security element provides two permission options:
<all-permissions/>
to provide an application with full access to the client's local computing resources, and
<j2ee-
Example 3-19. JNLP file showing <security> elements<?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="file:///c:/testarea/jnlp/"> <information> <title>My Signed Jar</title> <vendor>Core Security Patterns</vendor> <homepage href="http://www.sec-patterns.com/signed" /> <description>Java Web start example</description> </information> <offline-allowed/> <security> <all-permission/> </security> <resources> <j2se version="1.2+" /> <jar href="SignedClientApp.jar"/> </resources> <application-desc main-class="SignedClientApp" /> </jnlp> |
Similar products
Similar products
- C++ Programming Fundamentals
Books on arrays in c++ - MCSD Analyzing Requirements and Defining. NET Solutions Architectures Study Guide (Exam 70-300)
Business feasibility objectives - Professional. NET Framework 2.0
Invariantculture swap month and day - IPSec(c) The New Security Standard for the Internet, Intranets, and Virtual Private Networks
Ipsec c