tags:

views:

734

answers:

4
+2  Q: 

Enabling https for Java Webstart

hi,

I have a swing application deployed in HTTP Server. Users use the browser to point an URL and install the client using java webstart. Now I need to enable https access to my application deployed on HTTP server. I am using JDK 1.5 as default jdk supported in the jnlp file. For time being I use a self signed certificate to the sign the jars (by default created using Sun's jarsigner, keytool, etc, utils).

Solution/steps would be much appreciated.

Thanks in advance

Ramesh

A: 

What is the feature of https that you are hoping to leverage?

  • The signing/server authentication is done by code signing, though you are undermining this using a self-signed certificate.
  • Does your application code contain secrets that must be hidden from eavesdroppers?

As you say you "need to enable" there must be an underlying reason.

I believe that before you "need https" you need a proper code signing certificate. You might want to rephrase your question so that your underlying problem can be solved instead of the very specific question.

Olaf  2008-11-06 19:12:04
A trusted server certificate would prevent man in the middle attacks, and you could be sure you webstart from the right server. But that might already be the case, because he signed the jars, right?
Tim Büthe  2009-11-25 22:16:03
right, but can be more detailed: Enabling https protects the transmission of the code from eavesdroppers and make sure, that it came from the expected server. Signing the jars makes sure, that the transmitted code is the code that the signer expected to be transmitted to the client. Just using https means that the wrong code came from the correct server, just signing the jars means that the transmission can be listened to by "men in the middle", though not altered. Another can of worms can be opened when the application, once running, transmits data to the server it came from.
Olaf  2009-11-26 07:57:45
+1  A: 

As far as I understand your question you don't need to change anything to your code of the client. If you only want to give access to the JNLP via HTTPS you would only need to reconfigure the application server distributing the JNLP or if you have a webserver in front of the application server (as we do here: user - https -> apache -> AJP -> tomcat) you need to reconfigure the webserver to allow the access to the JNLP via HTTPS.

boutta  2008-11-07 07:16:01
+1  A: 

You need to enable HTTPS on the web server. To get the certificate you need to provide credentials and the host name of the server to a certificate authority (CA) like VeriSign or Thawte. They can provide you with a server certificate signed by their root certificate or some intermediate certificate. This certificate must then be imported into the web server to enable HTTPS over SSL. The web clients, like a browser or webstart will then verify the certificate chain when accessing the server.

If you use a self signed jar, all your users will be presented with a warning message about potentially unsafe code. To avoid this you should get a code signing certificate from a CA, which would be somewhat similar to the web server certificate. This CA-provided certificate can be imported into the keystore and used in the same way you use the self signed certificate. The code signing certificate will be signed by the CA so that the certificate chain can be verified by webstart.

stili  2008-12-04 21:35:00
A: 

That should be quite easy. You have to activate https on your webserver and change your jnlp URL to https://.... Here is how you do it for tomcat and jetty.

Tim Büthe  2009-11-25 22:21:10

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java