Deploying with Java Web Start

---

Java Web Start (JWS) is a deployment technology for Java applications, allowing them to be downloaded, launched, and updated automatically. For more information on JWS, see http://java.sun.com/products/javawebstart/.

Security Implications

For security, Java Web Start "sandboxes" any unsigned application, preventing access to the local hard drive and preventing potentially malicious actions.

At the same time, your application likely has its own SecurityManager to prevent untrusted applets and JavaScripts from running.

These two security systems may overlap and cause conflicts. To prevent these conflicts, you need to disable the JWS security and alter the browser application's security appropriately.

For more information on security issues, see http://java.sun.com/j2se/1.4.2/docs/guide/jws/developersguide/development.html#security.

Disabling JWS Security

Do both of the following to disable the JWS sandbox:

• Sign your application JAR files with a certificate. Signing the JAR files allows full access, and is necessary for the application to open network connections. For more information on signing, see http://java.sun.com/docs/books/tutorial/jar/sign/signing.html or http://java.sun.com/j2se/1.3/docs/tooldocs/win32/jarsigner.html.
• Configure the JNLP file (the configuration file used by JWS to launch your application) to allow all-permissions as follows:

  <security>
  
      <all-permissions/>
  
  </security>
   
  
     By setting all-permissions, the user of the application is prompted to allow the application unrestricted access to the system.
  
  

With the JWS security manager present but disabled, the browser application can access remote servers and the local file system while maintaining an appropriate security sandbox for applets and JavaScripts.

Configuring the Browser's Security

Use one of the following methods to configure the browser application's security. These methods all assume that the JWS security has been disabled and that the user allows full access when prompted.

• Instantiate a SecurityManager using the provided security utilities located in the ice.util.security package. The code to do this is as follows:

  ice.util.SecurityKit.installDefaultSecurityManager();
   
  
     The advantage of this approach is that it determines if you are running 1.1.x, 1.2+, or PJava implementations, and sets up security appropriately. 
  
  

• Set your own custom security manager. You can write your own manager or extend the default SecurityManager, overriding the methods as required. To use your own security manager, use code similar to this:

  System.setSecurityManager( new CustomSecurityManager() );
   
  

• Turn off security by setting the SecurityManager to null. The code to do this is:

  System.setSecurityManager( null );
   
  
     If you do not have sufficient permissions, this call throws a SecurityException. If it succeeds, there are no security restrictions on applets and JavaScript or on the application itself.
  
  

Note: Viewing web content without a security sandbox configured for applets and JavaScript may allow malicious content to access and potentially damage your system.

Copyright 2005. ICEsoft Technologies, Inc. http://www.icesoft.com