GlassFish, Java Web Start, and Java 7 update 21 security changes

This week Oracle released Java 7 update 21. Among other things, this release tightens security for applications launched using Java Web Start. For several releases GlassFish has included automatic support for launching Java EE app clients using Java Web Start. If you use this feature - or if you deploy applications which provide their own Java Web Start applications - you should be aware of the changes in this latest release of Java and how they affect you and your end-users.

What is changing?

Java 7u21 enforces stricter security on applications launched using Java Web Start. Specifically, such applications must be digitally signed or Java will not even allow you to launch them at the minimum recommended Java security setting. The automatic GlassFish support for launching app clients using Java Web Start already signs the application automatically so end-users will continue to be able to launch app clients this way, depending on their Java security settings.

What will end-users see?

Go to this page for descriptions and illustrations of the complete set of Java security screens end-users might see in different situations. The Java Control Panel allows security settings for medium, high (minimum recommend), and very high levels:
high-level security setting

If you use the GlassFish Java Web Start feature out-of-the-box, end-user systems at "high" running your app clients will see a warning screen like this during launch, immediately after the download and verification completes:
untrusted warning at launch
A user must click in the check-box and then click on Run to launch the app client. Java asks users to confirm this because, by default, GlassFish uses a self-signed certificate to sign the downloaded files. As a self-signed cert it is not linked to a trusted certificate authority, end-users really cannot be certain that the app - even though it is signed - can be trusted. If a user so chooses he or she can accept the risk and continue with the launch.

If the end-user system is running at "Very High" Java security a user will not be able to launch app clients signed using the GlassFish self-signed certificate. They will see an error like this:
self-signed cert launch failure at high-level

What should administrators and developers do?

If you use the GlassFish Java Web Start feature we strongly recommend that you do the following:

  1. If your organization does not already have one, get a trusted certificate from a certificate authority. (See the "signed code" link in the More Information section below.)

  2. Stop your GlassFish servers. Replace the GlassFish self-signed certificate with your trusted certificate by importing the trusted cert into the GlassFish keystore using the "s1as" alias. The keystore is, by default, located at ${domainDir}/config/keystore.jks.

  3. Delete signed JARs which GlassFish has already prepared on the server:

    1. rm -rf ${domainDir}/java_web_start

    2. For each application containing an app client launched using Java Web Start, 
      rm -rf ${domainDir}/generated/xml/${appName}/signed

    3. Restart your GlassFish servers.

  4. Once you have done #3, make sure your end-user systems are running with the "Very High" Java security setting.

The first time any user launches an app client using Java Web Start, GlassFish will regenerate the signed GlassFish system JARs and the JARs for that app client. This happens only once.  You do not have to redeploy applications.

What will end-users see the first time they launch an app client after restarting GlassFish?

Java Web Start on each end-user system will detect that the server's signed JARs are more recent than those cached on the end-user system, so it will download them again. Depending on network speed this can take some time but this happens only for the first launch from that server regardless of the client. After this refresh subsequent launches of the same or other app clients from the same server will be much faster.

Even though the app client is now signed using a trusted certificate, as of Java 7u21 Java Web Start will still ask the user whether to trust the downloaded application. Users can choose to skip that prompt during future launches that use the same certificate from the same server by clicking the "Do not show this again…" checkbox. (Not shown on the illustrations in this posting. See this link for examples.)

What will end-users see after that?

An end-user will continue to see the prompt to trust the certificate each time they launch an app client unless he or she opts to skip the prompts by clicking the checkbox.

Where is more information?

Visit these links for more information about the changes:

Java SE 7 update 21
Signed code
Java SE 7 security dialogs


A very nicely written article with good links to important information. Thanks for taking the time to write this up in such good detail.

Posted by John Yeary on April 25, 2013 at 09:43 PM CDT #

Post a Comment:
  • HTML Syntax: NOT allowed

News and musings on the technology I work on at Oracle.

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle.


« June 2016