站内搜索: 请输入搜索关键词
当前页面: 在线文档首页 > Java Tutorial 5.0 英文版

Java Web Start and Security - Java Tutorial 5.0 英文版

The JavaTM Tutorial
Previous Page Lesson Contents Next Page Start of Tutorial > Start of Trail > Start of Lesson Search
Feedback Form

Trail: Deployment
Lesson: Java Web Start

Java Web Start and Security

This section describes the basics of security for applications deployed through Java Web Start and includes:

Java Web Start Security Basics

Applications launched with Java Web Start are, by default, run in a restricted environment, known as a sandbox. In this sandbox, Java Web Start:
  • Protects users against malicious code that could affect local files
  • Protects enterprises against code that could attempt to access or destroy data on networks
Unsigned JAR files launched by Java Web Start remain in this sandbox, meaning they cannot access local files or the network.

Signing JAR Files for Java Web Start Deployment

Java Web Start supports signed JAR files so that your application can work outside of the sandbox described above, so that the application can access local files and the network.

Java Web Start verifies that the contents of the JAR file have not changed since it was signed. If verification of a digital signature fails, Java Web Start does not run the application.

When the user first runs an application as a signed JAR file, Java Web Start opens a dialog box displaying the application's origin based on the signer's certificate. The user can then make an informed decision regarding running the application.

For more information, see the Signing and Verifying JAR Files (in the Deployment trail) section.

Security and JNLP Files

For a signed JAR file to have access to the local file system and network, you must specify security settings in the JNLP file. The security element contains security settings for the application.

The following example provides the application with complete access to the client system if all its JAR files are signed: 

<security>
   <all-permissions/>
</security>

Dynamic Downloading of HTTPS Certificates

Java Web Start dynamically imports certificates as browsers typically do. To do this, Java Web Start sets its own https handler, using the java.protocol.handler.pkgs system properties, to initialize defaults for the SSLSocketFactory (in the API reference documentation) and HostnameVerifier (in the API reference documentation). It sets the defaults with the methods HttpsURLConnection.setDefaultSSLSocketFactory (in the API reference documentation) and HttpsURLConnection.setDefaultHostnameVerifier (in the API reference documentation).

If your application uses these two methods, ensure that they are invoked after the Java Web Start initializes the https handler, otherwise your custom handler will be replaced by the Java Web Start default handler.

You can ensure that your own customized SSLSocketFactory and HostnameVerifiter are used by doing one of the following:

  • Install your own https handler, to replace the Java Web Start https handler. For more information, see the document A New Era for Java Protocol Handlers (in the API reference documentation).
  • In your application, invoke HttpsURLConnection.setDefaultSSLSocketFactory or HttpsURLConnection.setDefaultHostnameVerifier only after the first https URL object is created, which executes the Java Web Start https handler initialization code first.

Previous Page Lesson Contents Next Page Start of Tutorial > Start of Trail > Start of Lesson Search
Feedback Form

Copyright 1995-2005 Sun Microsystems, Inc. All rights reserved.