Web Start Security and the Cache

Hi,
If the jars are signed and download occurs then webstart will verify the signature and tell the user that jars signed by user xxxxx are about to be run. Then the jars are cached by web start. My question is, what is to stop an attacker from replacing the jars in the cache with malicious ones? Does web start verify the signature on the jars when they are loaded from the cache aswell, thus preventing the jars from being changed? Or does the versioning system web start uses somehow prevent replacing the jars.
Thanks for any help,
Dave.

How would an attacker replace the jars with malicious ones? Through the initial signed jars? That means the initial ones are already malicious anyway, so why bother? After all, the user has already given those signed jars all-permissions anyway...
I'm sure you could devise some other means to do it using virus-like software, but all this would give you far greater control over the users machine than anything those cached jars could ever give you, even if the JNLP client did no checking on its cache whatsoever.

Similar Messages

  • Web start fires up the installer twice

    All
    We are seeing some issues where java web start is invoking the installer twice for some reason instead of once.
    When we install the application using the installer it installs correctly and everything looks good .But whenever the user clicks on the shortcut icon it tries to install the application again by downloading all the jar files and gets the installer screen again .This happens twice but im not sure why.
    I tried this on two JRE .14 and .15 and both had same problems.
    Im pasting the two JNLP files we are using . The first JNLP is the main jnlp file which refers to the installer jnlp using the extension tag.
    -----------------------------------------------------------Main JNLP-----------------------------------------------------
    <?xml version="1.0" encoding="UTF-8"?>
    <jnlp codebase="$$context/CCA" href="$$context/CCA/AuthoringLaunch.jnlp">
    <information>
         <title>Sample Learning Studio</title>
         <vendor>Sample Corporation</vendor>
         <description>Sample</description>
         <icon href="$$context/CCA/resources/images/desktopIcon.png"/>
         <icon kind="splash" href="$$context/CCA/resources/images/splash-screen.png"/>
         <offline-allowed/>
         <shortcut>
                   <desktop/>
                   <menu submenu="Sample Learning Studio"/>
         </shortcut>
    </information>
    <security>
    <all-permissions/>
    </security>
    <update check="always" policy="prompt-update"/>
    <resources os="Windows" arch="x86">
         <nativelib href="$$context/CCA/lib/swt-3.5M1-win32-win32-x86.jar" download="eager"/>
         </resources>
    <resources>
         <j2se version="1.6+"/>
         <jar href="$$context/CCA/lib/jna_WindowUtils.jar" download="eager"/>
         <jar href="$$context/CCA/lib/jna-3.0.7.jar" download="eager"/>
              <jar href="$$context/CCA/lib/MozillaInterfaces-1.8.1.3.jar" download="eager"/>
              <jar href="$$context/CCA/lib/derby.jar" download="eager"/>
              <jar href="$$context/CCA/lib/ibatis-2.3.0.677.jar" download="eager"/>
              <jar href="$$context/CCA/lib/xml.jar" download="eager"/>
              <jar href="$$context/CCA/lib/activation.jar" download="eager"/>
              <jar href="$$context/CCA/lib/mail.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringBuisnessObjects.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringBrowser.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringCore.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringCourse.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringCommands.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringComponents.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringDataObjects.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringDb.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringExceptions.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringLogger.jar" download="eager"/>
         <jar href="$$context/CCA/lib/AuthoringLicense.jar" download="eager"/>
         <jar href="$$context/CCA/lib/AuthoringMain.jar" main="true" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringRequestBeans.jar" download="eager"/>
         <jar href="$$context/CCA/lib/AuthoringUtils.jar" download="eager"/>
         <jar href="$$context/CCA/lib/resources.jar" download="eager"/>
              <extension name="AuthoringInstaller" href="$$context/CCA/lib/AuthoringInstaller.jnlp"/>
         <property name="application.context" value="$$context"/>
    </resources>
         <application-desc main-class="com.sample.authoring.main.ApplicationMainLaunch"/>
    </jnlp>
    -----------------------------------------------------------Main JNLP-----------------------------------------------------
    Here is the installer JNLP file
    --------------------------------------------------------------Installer JNLP-----------------------------------------------------
    <jnlp codebase="$$context/CCA/lib" href="$$context/CCA/lib/AuthoringInstaller.jnlp">
    <information>
    <title>Sample Learning Studio</title>
    <vendor>Sample Corporation</vendor>
    <description>Installer</description>
    <offline-allowed/>
    </information>
    <security>
    <all-permissions/>
    </security>
    <resources>
         <j2se version="1.6+"/>
    <jar href="$$context/CCA/lib/resources.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringExceptions.jar" download="eager"/>
              <jar href="$$context/CCA/lib/AuthoringLogger.jar" download="eager"/>
         <jar href="$$context/CCA/lib/AuthoringUtils.jar" download="eager"/>
    <jar href="$$context/CCA/lib/AuthoringInstaller.jar" main="true"/>
    <property name="deployer.context" value="$$context"/>
    <property name="deployer.codeBase" value="CCA"/>
    <property name="deployer.configFile" value="deploy.xml"/>
    <property name="deployer.configDir" value="conf"/>
    </resources>
    <installer-desc main-class="com.sample.authoring.installer.InstallationWizad"/>
    </jnlp>
    --------------------------------------------------------------Installer JNLP-----------------------------------------------------
    I'm not sure why the installer was getting fired twice .
    To solve this problem i tried to update      <shortcut> tag to have a online attribute <shortcut online="false">
    By doing this it prevented the installer from firing up twice but it alerts the user with another alert which tells "The application has requested to go online ".
    Can someone let me know why this would happen.
    Also let me know if there is a way to have java web start application always launch offline and check for updates?
    Thanks
    Chetan

    In this very same forum BenGlacy said he got there (no online launch and check for update) by removing the jnlp href attribute.
    Anyway there's something that doen't make sense in your post
    Chetan_Loves_Java wrote:
    When we install the application using the installer it installs correctly and everything looks good You don't install using an installer, it's meant to execute una-tantum tasks before app's first launch. If your installer does anything different, that could be the reason of your problems. By the way, in Java Web Start you don't install (period), you launch.
    If you, instead, mean the javaws -install option, please check all hrefs in JNLPs and look for 'twin' entries in your cache (javaws -viewer), resources are chached by URL, even the slightest difference can make them appear like 2 different voices.
    Application tries to go online 'cause it has an absolute href (instead of one relative to the codebase), althought, I gotta say, you may find in this forum that absolute href happened sometime to solve some problems. About this, why are you using absolute path (repeating codebase) on every resource (afaik, this never solved any probleam)?
    Bye.

  • Pick Your Web Start App Of The Week

    Hi,
    I invite you to post your comments about your favorite Web Start app here.
    Every week I will profile a different Web Start App at "The Saturn Times" - http://vamphq.com/times - including your quotes.
    Post early, post often and help promote all the great Web Start apps out there.
    - Gerald

    Your jnlp checker Vanessa is quite useful.
    Is the source available, because I would like to fix a bug or two I noticed.
    Then check out Gentleware's Poseidon.
    http://www.gentleware.com/download/Poseidon4umlJWS.jnlp
    It is a commercial version of Tigris.org's ArgoUML, a free UML editor,
    which is webstartable as well:
    http://argouml.tigris.org/files/documents/4/0/0100/ArgoUMLWebStart.jnlp
    Interesting about Poseidon was how they implemented key registration for their JWS app, a common task for commercial applications.
    However Poseidon unwillingly illustrates limitations of the present JWS implementation - this beast is large (about 10-30 MB).
    I loaded it at home via an ISDN link (8KB/s) and it took much time. The download was interrupted for several times, I hadn't start to download again from zero, because the app is splitted into several smaller jars, but still had to reload interrupted jars.
    Some days later it turned out that the disk I had the JWS cache on got full. Thus I wanted to move my precious downloads to another partition, which is not possible. You can't move cache contents elsewere, so I had to redownload it again later (ouch).
    An interesting bit about ArgoUML is how they speed up their large app by forcing class loading in a background thread. I saw that in their source and want to try out that technique myself soon, perhaps it gives a little speed advantage.
    Regards,
    Marc

  • Java web start security dialog with Java 7 update 51

    I build a Java Web Start application signed with a valid certificate.
    When I star the application the security dialog appear correctly as show in this figure
    http://www.java.com/en/img/download/trusted_signed.jpg
    My issue is about the "do not show again" checkbox.
    If the attributes href are present in the jnlp tag of the jnlp file the checkbox appear.
    If the attribute are not present, the checkbox doesn't appear and the run needs to be confirmed every time.
    (Example:
    <jnlp spec="1.0+" codebase=
    "http://docs.oracle.com/javase/tutorialJWS/samples/deployment/webstart_ComponentArch_DynamicTreeDemo"
    href="dynamictree_webstart.jnlp">
    This is a problem because my jnlp file is under a password protected directory and if href is specifed, the Java Web Start application try to retrieve it as the other resources. ( result in access denied because only the browser session is authenticated and the run fails)
    The documentation at Deploying a Java Web Start Application said:
    The codebase and href attributes are optional when deploying Java Web Start applications that will run on at least the Java SE 6 update 18 release or later. You must specify the codebase and href attributes when deploying Java Web Start applications that will run with previous releases of the Java Runtime Environment software.
    What is the right code? With href or without?
    Is this a BUG or a feature?
    How can I show the "don't show again" checkbox without having to specify the href attribute?

    From the documentation at JAR File Manifest Attributes for Security
    If the Application-Library-Allowable-Codebase attribute is present and matches the location from which the RIA is started, then a single host is listed in the Location field for the prompt and the option to hide future prompts is provided.
    This issue is also discussed here: Java Web Start security dialogs with Java 7 update 51 - Stack Overflow

  • I'm getting the following error message when ever I try to start cs6 and the program gets close. "Adobe Photoshop CS6 has stopped working. A problem caused the program to stop working correctly."

    Hi,
    I’m getting the following error message when ever I try to start cs6 and the program gets close.
    “Adobe Photoshop CS6 has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available”
    Please advise what is the problem? and How to sort this out?
    OS Name
    Microsoft Windows 8.1 Pro
    Version
    6.3.9600 Build 9600
    Other OS Description
    Not Available
    OS Manufacturer
    Microsoft Corporation
    System Name
    JARVIS
    System Manufacturer
    Dell Inc.
    System Model
    Inspiron N5110
    System Type
    x64-based PC
    System SKU
    To be filled by O.E.M.
    Processor
    Intel(R) Core(TM) i5-2450M CPU @ 2.50GHz, 2501 Mhz, 2 Core(s), 4 Logical Processor(s)
    BIOS Version/Date
    Dell Inc. A11, 8/3/2012
    SMBIOS Version
    2.6
    Embedded Controller Version
    1.01
    BIOS Mode
    Legacy
    BaseBoard Manufacturer
    Dell Inc.
    BaseBoard Model
    Not Available
    BaseBoard Name
    Base Board
    Platform Role
    Mobile
    Secure Boot State
    Unsupported
    PCR7 Configuration
    Binding Not Possible
    Windows Directory
    C:\Windows
    System Directory
    C:\Windows\system32
    Boot Device
    \Device\HarddiskVolume2
    Locale
    United States
    Hardware Abstraction Layer
    Version = "6.3.9600.17196"
    User Name
    Jarvis\JARVIS\Abhishek
    Time Zone
    India Standard Time
    Installed Physical Memory (RAM)
    4.00 GB
    Total Physical Memory
    3.16 GB
    Available Physical Memory
    1.21 GB
    Total Virtual Memory
    3.72 GB
    Available Virtual Memory
    1.55 GB
    Page File Space
    576 MB
    Page File
    C:\pagefile.sys
    Hyper-V - VM Monitor Mode Extensions
    Yes
    Hyper-V - Second Level Address Translation Extensions
    Yes
    Hyper-V - Virtualization Enabled in Firmware
    Yes
    Hyper-V - Data Execution Protection
    Yes
    Display adapters:
      and NVIDIA GeForce GT 525M.

    Without the actual crash logs nobody can say, but chances are that your graphics hardware is to blame, so update the driver...
    Mylenium

  • Poll: What is Your Web Start Project of the Year 2003?

    Hi,
    The Saturn Times announced the nominations for the "Web Start Project of the Year 2003" award today.
    The line-up includes:
    * NetX
    * OpenJNLP
    * Xito BootStrap
    * JDistro/Warf
    * Web Application Launcher (WAL)
    * Web Start Services Pack
    * Apollo
    * Rachel
    * Lopica Web Start Tools
    * Vamp Ant Task Suite
    Cast your vote today and help find the winner.
    Full story and pollstation @ http://lopica.sourceforge.net/times/2003/12/poll_what_is_your_web_start_project_of_the_year_2003.html
    - Gerald

    Hi,
    Due to popular demand here are the links to the ten Web Start Project of the Year 2003 contenders for easy reference.
    * NetX online @ http://jnlp.sourceforge.net/netx
    * OpenJNLP online @ http://openjnlp.nanode.org
    * Xito BootStrap online @ http://xito.sourceforge.net/projects/bootstrap
    * JDistro/Wharf @ http://www.jdistro.com
    * Web Application Launcher (WAL) @ http://w-a-l.sourceforge.net
    * Web Start Services Pack @ http://lopica.sourceforge.net/services
    * Apollo @ http://ajax.sourceforge.net/apollo
    * Rachel @ http://rachel.sourceforge.net
    * Lopica Web Start Tools @ http://sourceforge.net/projects/lopica
    * Vamp Ant Task Suite @ http://vamphq.com/ant.html
    - Gerald

  • 2 way communication - talk to server from web start app and vice versa

    I want to send status messages between my web start application and services running on the web server computer. I havent been able to find any examples on this. Can I communicate over http? Do I need to set up a separate connection to a port and communicate on my own? any ideas on how to do this?
    thanks

    ''Roland Tanglao [[#answer-698502|said]]''
    <blockquote>
    Hi scruffy90:
    You wrote "LG G2 and Samsung Galaxy Note 3. Both on Android 4.4.2 Firefox for Android Ver. 35.0.1 "
    I just tried switching between HSPA+ aka 3G and WiFi on a Galaxy S5 running Android 5 and have had no issues but I think this may have been an issue in the past (I did a search for a bug in bugzilla.mozilla.org but couldn't find anything).
    Are there any other details you could provide that could help us debug?
    e.g.
    # Are you using a proxy?
    # Who is your WiFi provider?
    # Have you tried other WiFi (e.g. the Wifi both at home and work)
    Cheers!
    ...Roland
    </blockquote>
    Hello Roland,
    No proxy on the phone or wi-fi network.
    My ISP is Time Warner, but I supply my own router (Linksys e4200)
    And this happens on every wi-fi network, at home and away from home.

  • I am having problems with my outlook 2011. While i am able to check and SEND email on all my other devices ( Ipad, iphone, Macbook), I am unable to do so with my iMac. This problem started suddenly and the error message i get is error 5.7.8. Please Help

    I  am having problems with my outlook 2011. While i am able to check and SEND email on all my other devices ( Ipad, iphone, Macbook), I am unablesend any email with my iMac ( i can recieve email) . This problem started suddenly and the error message i get is error 5.7.8. I have read the threads on line and went into settings, even created a new profile, nothing helps...Please advice..is this something to do with my keychain Access?

    As Outlook is not an Apple product, you will find more helpers familiar with Outlook here:
    Office for Mac forums

  • Web Services, Schemas, and the xsi:type attribute

    Hi List,
    I have several questions reqarding web services, schemas, and the use of the xsi:type
    attribute in messages.
    Schemas:
    Q1: How complex can a web service schema be?
    Q2: Is it reasonable for a schema to contain derived types by extension [1]?
    Q3: Could you use the International Purchase Order Schema [2] with a web service?
    xsi:type
    Q1: Is it reasonable for a web service to use the xsi:type attribute in the message(s)?
    If I am interpreting Section 4.1.15 of the BasicProfile-1.0a [3] correctly, this
    appears to be appropriate in certain circumstances.
    Q2: When is it appropriate to use the xsi:type attribute? If a schema contains
    derived types by extension [1]? If a schema contains xsd:anyType?
    Q3: How does using the xsi:type attribute affect interoperability?
    And finally,
    Q4: Are there any examples available demonstrating the use of the xsi:type attribute
    in messages?
    Whew !!!
    TIA,
    Kent
    [1] http://www.w3.org/TR/xmlschema-0/#DerivExt
    [2] http://www.w3.org/TR/xmlschema-0/#ipo.xsd
    [3] http://www.ws-i.org/Profiles/Basic/2003-08/BasicProfile-1.0a.html

    Hi Kent,
    A few answers inline...
    HTH,
    Bruce
    Kent Kvarfordt wrote:
    >
    Hi List,
    I have several questions reqarding web services, schemas, and the use of the xsi:type
    attribute in messages.
    Schemas:
    Q1: How complex can a web service schema be?There are limits in converting the schema between language
    representations, see this section [a] in the docs on roundtripping
    generated data types.
    [a]
    http://edocs.bea.com/wls/docs81/webserv/assemble.html#1074725
    Q2: Is it reasonable for a schema to contain derived types by extension [1]?
    Q3: Could you use the International Purchase Order Schema [2] with a web service?
    xsi:type
    Q1: Is it reasonable for a web service to use the xsi:type attribute in the message(s)?
    If I am interpreting Section 4.1.15 of the BasicProfile-1.0a [3] correctly, this
    appears to be appropriate in certain circumstances.I've not seen this used.
    http://www.ws-i.org/Profiles/Basic/2003-08/BasicProfile-1.0a.html#refinement34259632
    >
    Q2: When is it appropriate to use the xsi:type attribute? If a schema contains
    derived types by extension [1]? If a schema contains xsd:anyType?
    Q3: How does using the xsi:type attribute affect interoperability?My thought is that since this is not commonly used, then your risk of
    interop failure is high.
    >
    And finally,
    Q4: Are there any examples available demonstrating the use of the xsi:type attribute
    in messages?Sorry, I looked and could not find any examples.
    >
    Whew !!!
    TIA,
    Kent
    [1] http://www.w3.org/TR/xmlschema-0/#DerivExt
    [2] http://www.w3.org/TR/xmlschema-0/#ipo.xsd
    [3] http://www.ws-i.org/Profiles/Basic/2003-08/BasicProfile-1.0a.html

  • Adobe keeps crashing, you can be on a web page reading and the browser opens the page in a new browser. I did not have this problem the older versions. What can I do to fix this problem.

    adobe keeps crashing, you can be on a web page reading and the browser opens the page in a new browser. I did not have this problem the older versions. What can I do to fix this problem.

    See [[Firefox keeps opening many tabs or windows]]

  • HT4061 I plugged my phone in and contected it to my home wifi to do an update. Now I can not use the phone at all, I held the start button and the enter button to restore it but all i get is the itunes symbol on the front. Is it possible to retrieve pictu

    I just got an Iphone 5, and it requested an update. I plugged it in and connected it to my home wifi and now I can not use it at all. The only thing that shows on the screen is the itunes symbol. I tried to hold the start button and the enter button, but that does nothing. I have pictures and videos on the phone, is there any way to retrieve them?

    Plug it into your computer and restore it. It is in recovery mode. Anything that was on the phone is already gone. If the pictures and videos were not backed up, then there is no way to retrieve them.

  • My MacBook Pro gets really hot when I open a video file of any kind and the video starts lagging and the image fades away, also with anything that starts the fan. Is extremely hot on the left upper corner. Is there something I can do about it?

    My MacBook Pro gets really hot when I open a video file of any kind and the video starts lagging and the image fades away, also with anything that starts the fan. Is extremely hot on the left upper corner. Is there something I can do about it?

    You are still under warranty.  Call Apple Care. Make sure you get a case number as all repairs have an additional 90 days of warranty. 
    #1 - You have 14 days from the date of purchase to return your computer with no questions asked.
    #2 - You have 90 days of FREE phone tech support.
    #3 - You have the standard one year Apple warranty.
    #4 - If you've purchased an AppleCare Protection Plan, your warranty last for 3 years.   You can obtain AppleCare anytime up to the first year of the purchase of your computer.
    Take FULL advantage of your warranty.  Posting on a message board should be done as a last resort and if you are out of warranty or Apple Care has expired.

  • I have downloaded ADE 3 on my macbook.  It did recognize my Aluratek Libre the first time I used it but now it does not.  I plug my libre in start ADE and the Libre does not show up for me to transfer my ebooks from the library to my libre.  Help pls

    I have downloaded ADE 3 on my macbook. It did recognize my Aluratek Libre the first time I used it but now it does not. I plug my libre in start ADE and the Libre does not show up for me to transfer my ebooks from the library to my libre. Help pls

    If you have iTunes 11 on your computer then you can enable the left-hand sidebar on it via option-command-S on a Mac, control-S on a PC - when connected (and if your computer's iTunes is up-to-date) your iPad should then appear on that sidebar under a 'Devices' heading :
    If you select the iPad on that sidebar you can then use the Movies tab on the right-hand side of the iTunes screen to select and sync that film to your iPad's Videos app.
    Has your iPad been synced to the computer before ? If not then you might find this page for syncing to a new computer useful : https://discussions.apple.com/docs/DOC-3141

  • My Ipod touch will not start up and the menu will stay in I tunes!

    My ipod touch will not start up and the menu will stay on menu of Itunes. Who can help me?

    Hi,
    Have you tried a hard reset of your iPod?  Press/hold the home and sleep/wake buttons down until the Apple logo appears. 
    Hope this helps! 
    ---likeabird---

  • My macbook beeps on start up and the screen is grey with the apple logo

    my mackbook beeps on start up and the screen is grey with the apple logo

    Usually inside the battery compartment. Check your user manual for instructions on accessing the RAM slots. If you don't have the manual you can download a copy at support.apple.com/manuals/. You will need to know the actual model you have to get the correct manual for it.

Maybe you are looking for

  • How to get the current filename in java

    I want to know that is their any way in java to get the name of the current java file. In c it is done as printf("%s",__FILE__); Thanx in advance.

  • Another G5 iMac won't boot past grey Apple screen!! HELP!!!

    Last night I tried to put my iMac to sleep. it took about 3 times, and it finally went to sleep. Today I tried to wake it up but I got the little spinning disk, and it would not wake up. I could not restart it from the screen, so I pulled out the pow

  • Ipod nano flash bright white when buttons pressed

    I havd washed it before , and the backlight was out...... i left it on the charger all day and the lights back on YES!.....but turns solid white and freezes when i push a button

  • LDAP Performance Tuning In Large Deployments - dir_chkcredentialsonreadonly parameter

    Calendar users are experiencing long delays in logging in or updating a meeting with many attendees or dates. This is especially notificeable after migrating from calendar server 1.0x to calendar server 3.x. <P> At this time, calendar performance can

  • Msvcrt.dll error

    When I try to open Photoshop CS6 it keeps telling me that I cannot open it because of the missing mscvrt.dll file I have tried the sfc /SCANNOW option but that doesn't work. It didn't repair anything.  I tried restoring to an earlier point on my comp