Java Web Start and Security
This section describes the basics of security for applications deployed through Java Web Start and includes:
Applications launched with Java Web Start are, by default, run in a restricted environment, known as a sandbox . In this sandbox, Java Web Start:
Protects users against malicious code that could affect local files
Protects enterprises against code that could attempt to access or destroy data on networks
Sandbox applications that are launched by Java Web Start remain in this sandbox, meaning they cannot access local files or the network. See Security in Rich Internet Applications for information.
Java Web Start dynamically imports certificates as browsers typically do. To do this, Java Web Start sets its own
https handler, using the
java.protocol.handler.pkgs system properties, to initialize defaults for the SSLSocketFactory and HostnameVerifier. It sets the defaults with the methods HttpsURLConnection.setDefaultSSLSocketFactory and HttpsURLConnection.setDefaultHostnameVerifier.
If your application uses these two methods, ensure that they are invoked after the Java Web Start initializes the
https handler, otherwise your custom handler will be replaced by the Java Web Start default handler.
You can ensure that your own customized
HostnameVerifiter are used by doing one of the following:
Install your own
httpshandler, to replace the Java Web Start
In your application, invoke
HttpsURLConnection.setDefaultHostnameVerifieronly after the first
https URLobject is created, which executes the Java Web Start
httpshandler initialization code first.