2.3.8.  An excurse about security in Java Web Start

Java Webstart addresses the security issues of

• Protecting users against malicious code (intentional and unintentional) that may affect local files
• Protecting enterprises against code that may attempt to access or destroy data on networks

Applications launched with Java Webstart are -- by default -- run in a restricted environment where they have limited access to local computing resources, such as storage devices and the local network. In this sandbox environment, Java Webstart can guarantee that a downloaded and potentially untrusted application cannot compromise the security of the local files or the network.

An additional security feature supported by Java Webstart is digital code signing. If an application being invoked is delivered in one or more signed JAR files, Java Webstart will verify that the contents of the JAR file have not been modified since they were signed. If verification of a digital signature fails, Java Webstart will not run the application, since it may have been compromised by a third-party.

The support for code signing is important for both users and for application service providers. This service makes it possible for users to verify that an application comes from a trusted source. Because the application service provider signs the code, both can be ensured that no other party can impersonate the application on the Web. A signed application that is trusted by the user can also request additional system privileges, such as access to a local disk.

Java Webstart presents a dialog displaying the application's origin, based on the signer's certificate, before the application is launched. Thereby allowing the user to make an informed decision whether to grant additional privileges to the downloaded code, or not.

An application can request full access to a client system when all its JAR files are signed by including the following settings in the JNLP file:

<security>

<all-permissions/>

</security>

The implementation of code signing in Java Webstart is based on the security API in the core Java 2 Platform. The Java 2 SE JRE 1.2.x supports code signing with the SHAwithSDA algorithm. Java 2 SE JRE 1.3 also supports MD2withRSA and MD5withRSA. The MD5withRSA is currently the most often used algorithm.

Developers sign code for use with Java Webstart in the same manner as for Java Applets by using the standard jarsigner tool from the Java 2 SE SDK. The documentation for the jarsigner tool provides examples on how to sign code, create test certificates, and other signing related issues.

Java Webstart also support use of the Netscape signtool when used with the Java 2 SE JRE 1.3.0. See the Netscape Web site for details: http://developer.netscape.com/software/signedobj/