WebApp Sec mailing list archives
Re: Web start security
From: Greg Steuck <greg-webappsec () nest cx>
Date: 16 Oct 2003 15:08:17 -0700
"Guruprasad" == Guruprasad Ramarao <prasadg75 () yahoo com> writes:
Guruprasad> Hi, I am working on a project to convert/migrate an Guruprasad> existing web application to use java web start Guruprasad> technology.(one of the reason for migration is to remove Guruprasad> extensive use of javascript in web application and use Guruprasad> java instead) Are you completely replacing your HTML based application with a java client based one? Guruprasad> Web-application was password protected with JAAS login Guruprasad> module and also access to the same was over https. I assume this means you used webserver internal session management which also handled authentication at the beginning of each client session. Is that how it was done? Guruprasad> Is there a mechanism to provide similar security in Java Guruprasad> web start? I am aware of code signing, this will Guruprasad> provide authenticity to the jar file downloaded and also Guruprasad> ensure the jar files dont(hopefully this is the case) Guruprasad> get tampered on client box. If they want to tamper with your jar, they will just remove the signature. You should assume that your java bytecode will be decompiled and rewritten in the manner most profitable to the attacker. Guruprasad> Are there any mechanism of providing password protection Guruprasad> for web start application? Assuming you are trying to build a thin client application, you should consider using basic or digest http authentication when communicating from your client to the server. I do not think this has anything to do with Java WebStart which is AFAIK just a way of application delivery and launching. Guruprasad> Also are there any security vulnerabilities using java Guruprasad> web start technology? What kind of vulnerabilities do you have in mind? Thanks Greg
Current thread:
- Web start security Guruprasad Ramarao (Oct 15)
- Re: Web start security Greg Steuck (Oct 16)