For Java and JavaFX apps Java Warehouse Tech Tips

« Use NetBeans IDE 6.7... | Main

Monday Nov 09, 2009

Java Web Start Permissions

Java Web Start addresses security issues to

  • Protect users against malicious code (intentional or unintentional) that may affect local files
  • Protect enterprises against code that may attempt to access or destroy data on networks

Sandbox Environment

By default, applications launched with Java Web Start are run in a restricted environment where they have access to local computing resources at the user's discretion, such as storage devices and the local network. In this sandbox environment, Java Web Start guarantees that a downloaded and potentially untrusted application cannot compromise the security of the local files or the network.

Apps don't need security permissions to work with Sandbox Permissions. All you have to do to make a sandbox app is to ensure you do not have following tag included in your JNLP descriptor.


    <security>
           <all-permissions/>
    </security>

All Permissions and Digital Code Signing

If you need to work in a unrestricted environment where you can access all the local computing resources, you have to go through the process of digital code-signing your code.

The support for code signing is important for both users and for application service providers. This service makes it possible for users to verify that an application comes from a trusted source. Because the application service provider signs the code, both can be ensured that no other party can impersonate the application on the Web.

An application can request full access to a client system when all its JAR files are signed by including the following settings in the JNLP file:

 
    <security>
           <all-permissions/>
    </security>

Signing JAR Files With a Test Certificate

Follow these steps to sign a JAR file with a test certificate:

  1. Make sure that you have a JDK keytool and jarsigner in your path (located in the Java SE SDK bin directory).
  2. Create a new key in a new keystore:
    keytool -genkey -keystore myKeystore -alias myself
    You will get prompted for information about the new key, such as password and name. This will create the myKeystore file on disk.
  3. Then, create a self-signed test certificate:
    keytool -selfcert -alias myself -keystore myKeystore
    This will prompt for the password. Generating the certificate takes a few minutes.
  4. Check to make sure that everything works. To list the contents of the keystore, use the following command:
    keytool -list -keystore myKeystore
    The list should resemble this: 
    
          Keystore type: jks
          Keystore provider: SUN

          Your keystore contains 1 entry:

          myself, Tue Jan 23 19:29:32 PST 2001, keyEntry,
          Certificate fingerprint (MD5):
          C2:E9:BF:F9:D3:DF:4C:8F:3C:5F:22:9E:AF:0B:42:9D
  5. Finally, sign the JAR file with the test certificate: 
    jarsigner -keystore myKeystore test.jar myself
    Repeat this step on all of your JAR files.

Note that a self-signed test certificate should only be used for internal testing, since it does not provide any guarantees about the identity of the user and therefore cannot be trusted. A trustworthy certificate can be obtained from a certificate authority, such as VeriSign, and should be used when the application is put into production.

Verify JAR: How to Find Who Signed the JAR

To verify the JAR and JAR Signer, follow these steps:

  1. Get the JAR.
  2. Use Jarsigner -verify option, such as jarsigner -verify main.jar
  3. Extract the files from the JAR, which you can find in the META-INF directory.
  4. Go to META-INF. There will be at least two files -- one with an .RSA/.DSA extention, the other with an.SF extension. These files contains the information about the certificates and code-signing authorities.
  5. Use the following command (assuming the key file to be KEY1.DSA): 
    jar -xf main.jar META-INF/KEY1.DSA
  6. Use Keytool to print the certification informations. 
    keytool -printcert -file  KEY1.DSA

You can then see the owner and the issuer. Here is a sample of how it might look.

 
     Owner: CN=jfxbook
     Issuer: CN=jfxbook
     Serial number: 4a26e445
     Valid from: Wed Jun 03 13:59:49 PDT 2009 until: Tue Sep 01 13:59:49 PDT 2009
     Certificate fingerprints:
          MD5:  DB:18:12:26:55:B4:F5:35:66:05:8B:0E:24:4C:1B:7F
          SHA1: 9D:C6:20:46:4A:93:C1:3E:AF:00:0F:8F:8F:12:AD:F9:CE:6F:B5:AC
          Signature algorithm name: SHA1withDSA
          Version: 3

Posted at 07:07PM Nov 09, 2009 by Christine Dorffi in Sun | Comments[1] | Permalink

Comments:

Check out this screencast that shows you how to re-spin a dekstop application into a Java Web Start application!

http://blogs.sun.com/thejavatutorials/entry/re_spin_desktop_application_into

Posted by Sowmya Kannan on November 16, 2009 at 10:17 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed

About This Weblog

Technical tips for developers who want to submit applications to the Java Warehouse repository for the Java Store. If you have a tip to contribute, contact the weblog owner.

Archives

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Feeds

Search

Bookmarks

Other Blog Links

Today's Page Hits: 1