Re: Web start security

[Greg Steuck <greg-webappsec () nest cx>]

> > > > > "Guruprasad" == Guruprasad Ramarao <prasadg75 () yahoo com> writes:

    Guruprasad> Hi, I am working on a project to convert/migrate an
    Guruprasad> existing web application to use java web start
    Guruprasad> technology.(one of the reason for migration is to remove
    Guruprasad> extensive use of javascript in web application and use
    Guruprasad> java instead)

Are you completely replacing your HTML based application with a java
client based one?

    Guruprasad> Web-application was password protected with JAAS login
    Guruprasad> module and also access to the same was over https.

I assume this means you used webserver internal session management which
also handled authentication at the beginning of each client session. Is
that how it was done?

    Guruprasad> Is there a mechanism to provide similar security in Java
    Guruprasad> web start?  I am aware of code signing, this will
    Guruprasad> provide authenticity to the jar file downloaded and also
    Guruprasad> ensure the jar files dont(hopefully this is the case)
    Guruprasad> get tampered on client box.

If they want to tamper with your jar, they will just remove the
signature. You should assume that your java bytecode will be decompiled
and rewritten in the manner most profitable to the attacker.

    Guruprasad> Are there any mechanism of providing password protection
    Guruprasad> for web start application?

Assuming you are trying to build a thin client application, you should
consider using basic or digest http authentication when communicating
from your client to the server. I do not think this has anything to do
with Java WebStart which is AFAIK just a way of application delivery and
launching.

    Guruprasad> Also are there any security vulnerabilities using java
    Guruprasad> web start technology?

What kind of vulnerabilities do you have in mind?

Thanks
Greg