The security model behind rich Internet applications (RIAs) works to protect the user from malicious Internet applications. This topic discusses security aspects that are common to applets and Java Web Start applications. See the following topics for more information:
RIAs can be restricted to the Java security sandbox or request permission to access resources outside the sandbox. The first time an RIA is launched, the user is prompted for permission to run. The dialog shown provides information about the signer's certificate and indicates if the RIA requests permission to run outside the sandbox. The user can then make an informed decision about running the application.
Apply the following guidelines to help secure your RIAs.
all-permissions
element in the JNLP file for the RIA. Otherwise, let the RIA default to running in the security sandbox. The following code snippet shows the all-permissions
element in the RIA's JNLP file.
<security> <all-permissions/> </security>
component-desc
element to include the other JNLP files as component extensions. See
Structure of the JNLP File for information.AccessController.doPrivileged
block. This allows the JavaScript code to run with elevated permissions when executing the code in the doPrivileged
code block.Permissions
and Codebase
attributes in the JAR file manifest to ensure that your RIA requests only the permissions you specify, and that the RIA is accessed from the correct location. See
JAR File Manifest Attributes for Security for information.