如何对从Tomcat服务器访问服务的JNLP应用程序进行签名？

Question

I am new to security part of any application. I have very basic knowledge about digital certificate. I heard that applications like Applets & Java web start that runs in client machine and access its service from a remote machine needs to digitally signed in-order to perform the activities without any restrictions.

I am having one Java web start application which is not yet signed, shows some security warning each time it is accessed by the users.

Following is the details of my Java web start application.

1. Application uses Java web-start technology which communicates with the Servlets running on Tomcat7.
2. DB is SQL Server 2012.
3. Server Machine: Windows 64 bit 2008 R2 Enterprise Server.
4. Java 7 update 25 64 bit
5. All the files(JNLP, jarfiles) needed for the JWS-app and the Web-app is packed as a single war file and deployed to Tomcat7.

Can anyone provide some idea for following queries:

1. Is signing the jar files in application is only way to avoid the security warning?
2. Does signing jar file cost? Is there any way sign the jars for free?
3. Currently the services which runs on Tomcat7 as a JavaEE application is accessed by Web start application through http connection. Do I need to use https instead of http once the jars are signed?
4. I found that I need to add the following tag to .jnlp file: <security><all-permissions/></security>
5. Apart from above change is there anything else that I need to make in Java or xml files?

Note: We are getting some connection reset error for the users who access the application through internet. We notice this error after upgrading the java version from Java5 to Java7. Read some where that the security policy has been changed and now downloading unsigned jar files over network has some issue. But not exactly sure whether the error is due to the upgrade to java version or some changes to application code, since we don't have any exceptions in log file other than Connection reset.

Thanks in advance

Answer 1

The digital signature was generated with an untrusted certificate.

This is telling.

Is signing the jar files in application is only way to avoid the security warning?

The Jars are apparently already digitally signed, but with an unverified certificate.

An unsigned app. would have a different warning (and Oracle has warned that in future, they will be defaulting the JVM to not run them at all).

An app. signed with a verified certificate will produce much the same warning as you are currently seeing, except the 'Publisher:' would be listed, and if the user ticks 'always allow' (which apparently no longer appears on self signed or unsigned code), the JRE will store and remember that decision.

Does signing jar file cost? Is there any way sign the jars for free?

The answer to the second question is 'how much does it cost you now?' The answer to the first is 'yes'.

Currently the services which runs on Tomcat7 as a JavaEE application is accessed by Web start application through http connection. Do I need to use https instead of http once the jars are signed?

No.

I found that I need to add the following tag to .jnlp file: <security><all-permissions/></security> Apart from above change is there anything else that I need to make in Java or xml files?

I doubt you need to specify that. Even a sand-boxed app. can 'phone home' to the same server. If digitally signed using a trusted certificate, the warnings will be more mild.

---

One thing you need to keep uppermost in your mind, is that all this security is not for the convenience of the developer, but the safety of the end user (and user confidence in the plug-in). So when you try to find 'room to squirm out of it' you are effectively trying to find security bugs in the JRE.

If you do find one, please let us know so we can raise a high priority bug report with Oracle, and get it fixed.