Sun Java System Application Server Platform Edition 9 Developer's Guide

Signing JAR Files Used in Java Web Start

Java Web Start enforces a security sandbox. By default it grants any application, including application clients, only minimal privileges. Because Java Web Start applications can be so easily downloaded, Java Web Start provides protection from potentially harmful programs that might be accessible over the network. If an application requires a higher privilege level than the sandbox permits, the code that needs privileges must be in a JAR file that was signed. When Java Web Start downloads such a signed JAR file, it displays information about the certificate that was used to sign the JAR, and it asks you whether you want to trust that signed code. If you agree, the code receives elevated permissions and runs. If you reject the signed code, Java Web Start does not start the downloaded application.

The Application Server serves two types of signed JAR files in response to Java Web Start requests. One type is a JAR file installed as part of the Application Server, which starts an application client during a Java Web Start launch: install-dir/lib/appserv-jwsacc.jar.

The other type is a generated application client JAR file. As part of deployment, the Application Server generates a new application client JAR file that contains classes, resources, and descriptors needed to run the application client on end-user systems. When you deploy an application with the asadmin deploy command's --retrieve option, use the asadmin get-client-stubs command, or select the Generate RMIStubs option in the Admin Console, this is the JAR file retrieved to your system. Because application clients need access beyond the minimal sandbox permissions to work in the Java Web Start environment, the generated application client JAR file must be signed before it can be downloaded to and executed on an end-user system.

A JAR file can be signed automatically or manually. The following sections describe the ways of signing JAR files.

Automatically Signing JAR Files

The Application Server automatically creates a signed version of the required JAR file if none exists. When a Java Web Start request for the appserv-jwsacc.jar file arrives, the Application Server looks for domain-dir/java-web-start/appserv-jwsacc.jar. When a request for an application's generated application client JAR file arrives, the Application Server looks in the directory domain-dir/java-web-start/app-name for a file with the same name as the generated JAR file created during deployment.

In either case, if the requested signed JAR file is absent or older than its unsigned counterpart, the Application Server creates a signed version of the JAR file automatically and deposits it in the relevant directory. Whether the Application Server just signed the JAR file or not, it serves the file from the domain-dir/java-web-start directory tree in response to the Java Web Start request.

To sign these JAR files, the Application Server uses its self-signed certificate. When you create a new domain, either by installing the Application Server or by using the asadmin create-domain command, the Application Server creates a self-signed certificate and adds it to the domain's key store.

A self-signed certificate is generally untrustworthy because no certification authority vouches for its authenticity. The automatic signing feature uses the same certificate to create all required signed JAR files. To sign different JAR files with different certificates, do the signing manually.

Manually Signing appserv-jwsacc.jar

You can sign the appserv-jwsacc.jar file manually any time after you have installed the Application Server. Copy the unsigned file from install-dir/lib to a different working directory and use the jarsigner command provided with the JDK to create a signed version of exactly the same name using your certificate. Then manually copy the signed file into domain-dir/java-web-start. From then on, the Application Server serves the JAR file signed with your certificate whenever a Java Web Start request asks that domain for the appserv-jwsacc.jar file. Note that you can sign each domain's appserv-jwsacc.jar file differently.

Remember that if you create a new domain and do not sign appserv-jwsacc.jar manually for that domain, the Application Server creates an auto-signed version of it for use by the new domain. Also, if you create a domain-specific signed appserv-jwsacc.jar, delete the domain, and then create a new domain with the same name as the just-deleted domain, the Application Server does not remember the earlier signed appserv-jwsacc.jar. You must recreate the manually signed version.

Manually Signing the Generated Application Client JAR File

You can sign the generated application client JAR file for an application any time after you have deployed the application. As you deploy the application, you can specify the asadmin deploy command's --retrieve option or select the Generate RMIStubs option in the Admin Console. Doing either of these tasks returns a copy of the generated application client JAR file to a directory you specify. Or, after you have deployed an application, you can download the generated application client JAR file using the asadmin get-client-stubs command.

Once you have a copy of the generated application client JAR file, you can sign it using the jarsigner tool and your certificate. Then place the signed JAR file in the domain-dir/java-web-start/app-name directory. You do not need to restart the server to start using the new signed JAR file.