Security and networking enhancements in Java Deployment
In Mustang (JavaSE 6), there are many security and networking enhancements in Java Web Start and Java Plug-in that make your deployment more secure and simple. Let's have a quick look!
New security warning dialog box and more information dialog boxThey are the most visible security related changes in Java Web Start and Java Plug-in. Check out Goodbye scary security dialog box! and New user experience in Java Web Start for more details.
Certificate validation enhancementsTo enhance the security in our certificate validation algorithm, Java Web Start and Java Plug-in will use the Java Certificate Path APIs that is compliance with RFC 3280.
Java Web Start and Java Plug-in will also support certificate revocation list (CRL). Basically, CRL is a list of certificates that have been revoked by the Certificate Authority. If a certificate contains a CRLDistributionPoints extension, Java Web Start and Java Plug-in will download the CRL from the URI specified in the CRLDistributionPoints extension for certificate validation. There will be a new deployment configuration option to let companies setup their own company-wide CRL to control the certificate validation policy. In addition, Java Web Start and Java Plug-in will support online certificate status protocol (OCSP) if the certificate provides an OCSP server URL in its AIA extension. There will also be a deployment configuration option to let companies to use their OCSP servers to control the certificate validation policy in the Intranet. Both CRL and OCSP support could be enabled/disabled independently from the Java Control Panel.
These improvements should be transparent to most developers and most users. However, if your certificate is not compliant with the RFC standards, especially in the case of self-generated certificate or certificate generated by internal PKI, your signed applications may break. Therefore, it is important to test your applications with the Mustang snapshot, so you could identify any potential certificate problem early.
Save password option in login dialog boxJava Web Start and Java Plug-in will give you an option to save username and password in the login dialog during authentication; if you try to access the same server at a later time in the same session, and previously selected to save your password, your credentials will be forwarded automatically without any additional user interaction. If you did not select to save your password the login dialog will be pre-filled with the saved username and domain name and the user only has to enter their password. On Windows, Java Web Start and Java Plug-in also recognize the saved username and password in Internet Explorer. For example, if you login into a web site in Internet Explorer and encounter a Java applet that requires authentication, Java Plug-in will automatically recognize your saved username and password in Internet Explorer and use it for authentication in the Java side, so you won't be prompted for login again.
Screenshot of login dialog box with save password option during Integrated Windows authentication on Windows 2000:
Password protected keystoreSome users may protect their keystores with password. Java Web Start, Java Plug-in, and Java Control Panel will fully recognize password-protected keystore if any of the deployment keystore (i.e. root CA certificate store, SSL CA certificate store, trusted signing certificate store, trusted SSL certificate store, and client authentication certificate store) is protected.
Screenshot of keystore password dialog box on Windows XP:
Elimination of HTTPS security warning for valid certificateIf the HTTPS server certificate is valid and is verified, Java Web Start and Java Plug-in will no longer show a HTTPS security warning dialog. In majority of the secure server deployments, using a valid server certificate should be the norm, so this change will improve the deployment user experience if your application uses HTTPS. This feature could be enabled/disabled from the Java Control Panel.
Automatic certificate selection in client authenticationUser often has only one client certificate on the system for the purpose of client authentication. To simplify the user experience for client authenticaiton, if there is only one client certificate on the system that matches the requirements in HTTPS client authentication, Java Web Start and Java Plug-in will send the client certificate to the server automatically without prompting the user to select the certificate. This feature could be enabled/disabled from the Java Control Panel.
Automatic proxy detectionInternet Explorer and Mozilla Firefox provide an option that enables web clients to automatically detect proxy settings without user intervention through WPAD (Web Proxy Auto-Discovery Protocol). Java Web Start and Java Plug-in will support this proxy option on all platforms if they are configured to use browser settings and the browser is configured to use WPAD for proxy discovery.
SummaryThese security and networking enhancements in Java Web Start and Java Plug-in should improve your overall deployment experience in Mustang. Most of the enhancements are already integrated into Mustang, except "Save password option in login dialog" and "Elimination of HTTPS security warning for valid certificate". The remaining enhancements will be available in a Mustang snapshot in a few weeks. If you are interested in these enhancements, I encourage you to download the Mustang snapshot today to try them out!
Note: Thanks Dennis Gu and Ashley Woodsom in the Java Deployment team for making these enhancements happen. Dennis is main contributor for the "Certificate validation enhancements", "Password protected keystore", and "Automatic certificate selection in client authentication" support; Ashley is the main contributor for the "Automatic proxy detection" and the upcoming "Save password option in login dialog box" support.