Stanley Ho's Blog: Security and networking enhancements in Java Deployment

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

Advanced Search

Stanley Ho's Blog

«New user experience in Java Web Start | Main | JSR 277: Java Module System »

Security and networking enhancements in Java Deployment

Posted by stanleyh on June 13, 2005 at 02:02 PM | Comments (6)

In Mustang (JavaSE 6), there are many security and networking enhancements in Java Web Start and Java Plug-in that make your deployment more secure and simple. Let's have a quick look!

New security warning dialog box and more information dialog box

They are the most visible security related changes in Java Web Start and Java Plug-in. Check out Goodbye scary security dialog box! and New user experience in Java Web Start for more details.

Certificate validation enhancements

To enhance the security in our certificate validation algorithm, Java Web Start and Java Plug-in will use the Java Certificate Path APIs that is compliance with RFC 3280.

Java Web Start and Java Plug-in will also support certificate revocation list (CRL). Basically, CRL is a list of certificates that have been revoked by the Certificate Authority. If a certificate contains a CRLDistributionPoints extension, Java Web Start and Java Plug-in will download the CRL from the URI specified in the CRLDistributionPoints extension for certificate validation. There will be a new deployment configuration option to let companies setup their own company-wide CRL to control the certificate validation policy. In addition, Java Web Start and Java Plug-in will support online certificate status protocol (OCSP) if the certificate provides an OCSP server URL in its AIA extension. There will also be a deployment configuration option to let companies to use their OCSP servers to control the certificate validation policy in the Intranet. Both CRL and OCSP support could be enabled/disabled independently from the Java Control Panel.

These improvements should be transparent to most developers and most users. However, if your certificate is not compliant with the RFC standards, especially in the case of self-generated certificate or certificate generated by internal PKI, your signed applications may break. Therefore, it is important to test your applications with the Mustang snapshot, so you could identify any potential certificate problem early.

Save password option in login dialog box

Java Web Start and Java Plug-in will give you an option to save username and password in the login dialog during authentication; if you try to access the same server at a later time in the same session, and previously selected to save your password, your credentials will be forwarded automatically without any additional user interaction. If you did not select to save your password the login dialog will be pre-filled with the saved username and domain name and the user only has to enter their password. On Windows, Java Web Start and Java Plug-in also recognize the saved username and password in Internet Explorer. For example, if you login into a web site in Internet Explorer and encounter a Java applet that requires authentication, Java Plug-in will automatically recognize your saved username and password in Internet Explorer and use it for authentication in the Java side, so you won't be prompted for login again.

Screenshot of login dialog box with save password option during Integrated Windows authentication on Windows 2000:

Password protected keystore

Some users may protect their keystores with password. Java Web Start, Java Plug-in, and Java Control Panel will fully recognize password-protected keystore if any of the deployment keystore (i.e. root CA certificate store, SSL CA certificate store, trusted signing certificate store, trusted SSL certificate store, and client authentication certificate store) is protected.

Screenshot of keystore password dialog box on Windows XP:

Elimination of HTTPS security warning for valid certificate

If the HTTPS server certificate is valid and is verified, Java Web Start and Java Plug-in will no longer show a HTTPS security warning dialog. In majority of the secure server deployments, using a valid server certificate should be the norm, so this change will improve the deployment user experience if your application uses HTTPS. This feature could be enabled/disabled from the Java Control Panel.

Automatic certificate selection in client authentication

User often has only one client certificate on the system for the purpose of client authentication. To simplify the user experience for client authenticaiton, if there is only one client certificate on the system that matches the requirements in HTTPS client authentication, Java Web Start and Java Plug-in will send the client certificate to the server automatically without prompting the user to select the certificate. This feature could be enabled/disabled from the Java Control Panel.

Automatic proxy detection

Internet Explorer and Mozilla Firefox provide an option that enables web clients to automatically detect proxy settings without user intervention through WPAD (Web Proxy Auto-Discovery Protocol). Java Web Start and Java Plug-in will support this proxy option on all platforms if they are configured to use browser settings and the browser is configured to use WPAD for proxy discovery.

Summary

These security and networking enhancements in Java Web Start and Java Plug-in should improve your overall deployment experience in Mustang. Most of the enhancements are already integrated into Mustang, except "Save password option in login dialog" and "Elimination of HTTPS security warning for valid certificate". The remaining enhancements will be available in a Mustang snapshot in a few weeks. If you are interested in these enhancements, I encourage you to download the Mustang snapshot today to try them out!

- Stanley

Note: Thanks Dennis Gu and Ashley Woodsom in the Java Deployment team for making these enhancements happen. Dennis is main contributor for the "Certificate validation enhancements", "Password protected keystore", and "Automatic certificate selection in client authentication" support; Ashley is the main contributor for the "Automatic proxy detection" and the upcoming "Save password option in login dialog box" support.

Bookmark blog post:

del.icio.us

Digg

DZone

Furl

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

I'm very pleased to see so many updates to JWS lately. One enhancement that needs a bit more work is the SocketService; it is making duplicate DNS requests and prompting the user twice (at least it does in 1.6 build 37). The big problem is the 2nd request is a reverse lookup that will probably fail more than it will succeed because a large number of Internet servers do not have the in-addr.arpa domain configured to resolve properly.

This is already accepted as a bug:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6280269

but I don't know what 'In Progress' means. It's taken 2 years to get the SocketService capability and I hope it won't take another 2 years to fix this bug.

Cheers.

Posted by: markswanson on June 13, 2005 at 03:19 PM

Sounds like some good improvements.

A similar enhancement that I would also like to see is J2SE desktop applications being able to automatically use the proxy settings of the system. Maybe by setting a system property to turn this behaviour off/on. As it stands now, users are forced to manually configure every Java application to use their proxy settings. It would simplify things greatly if Java could just pull this info from the system and use it.

Posted by: dustin on June 14, 2005 at 11:38 AM

Stanley--glad to hear progress is being made. I have one outstanding issue with WebStart, and one feature request. Wondering where to post these? I sent the issue in with a form I found related to WebStart on this site I think, but never heard back. The issue is that a jar referenced by a given URL in two different JNLP files is loaded by both JNLP files. This is counter-intuitive, I would expect the JAR to be loaded just once, then used from cache on the second JNLP--this came up in working on demos for JDNC, and trying to speed up demo downloading. Second, I had a request, wondering why JNLP does not seem to be multi-threading the downloads, e.g. downloading more than one resource at once? This makes much more sense to me, but at least from the progress bar it looks like they are loaded sequentially. At least this could be an option in a client's webstart configuration, so that people with big pipes and decent machines could download more quickly. Anyway, wondering where to post these. Thanks Patrick

Posted by: pdoubleya on June 15, 2005 at 03:10 AM

Hi markswanson,
6280269 is a side effect in the implementation of the SocketService, and it is in our bug-to-be-fixed queue for Mustang.

- Stanley

Posted by: stanleyh on June 15, 2005 at 10:14 AM

Hi dustin,

I would like to see such system property too; it is already on the feature radar of our networking team.
- Stanley

Posted by: stanleyh on June 15, 2005 at 10:16 AM

Hi pdoubleya,

For the first issue, the problem could be caused by several factors. You may want to send a more detailed email to http://java.sun.com/docs/forms/javaws-sendusmail.html, and the Java Web Start team will follow up.

For the second issue, the current version of Java Web Start only downloads files sequentially. We have looked into simultaneous download before; while it improves performance in some cases, there are many cases that it actually degrades the performance significantly. Thus, using more than one connection to download file should be determined in a case by case basis. We plan to look into this further in a future release.
- Stanley

Posted by: stanleyh on June 15, 2005 at 12:08 PM

Powered by
Movable Type 3.01D

java.net RSS Feeds