Rich Internet Applications Development and Deployment > Preventing RIAs from Being Repurposed
Contents
The JDK 7u25 release introduces the Permissions and Codebase attributes for the JAR file manifest to defend RIAs against unauthorized code repurposing. Add these attributes to verify that the RIA is requesting the correct permissions level and is accessed from the correct location when the RIA is started. If the Permissions attribute is not present, it might be possible for an attacker to exploit a user by re-deploying an application that is signed with your certificate, and running the application at a different privilege level.
When these attributes are not present in the manifest, a warning is written to the Java Console, similar to "Missing Codebase manifest attribute for: http://www.example.com/myApplet.jar".
Permissions and Codebase attributes with signed JAR files for applets and Java Web Start applications. These attributes are ignored for stand-alone Java applications.
The Permissions attribute is used to verify that the permissions level requested by the RIA when it runs matches the permissions level that was set when the JAR file was created. Set this attribute to one of the following values:
sandbox - Indicates that the RIA runs in the security sandbox and does not require additional permissions.
all-permissions - Indicates that the RIA requires access to the user's system resources.
This value must match the permission level requested in the JNLP file or the applet tag, otherwise, an error is shown and the RIA is not run. If the attribute is not present, a warning is written to the Java Console and the permissions specified for the applet tag or JNLP file is used.
The Codebase attribute is used to restrict the code base of the JAR to specific domains.
Note: If the Codebase attribute does not specify a secure server, such as HTTPS, some risk exists that your code could be repurposed in Man-in-the-Middle (MITM) attack schemes.
Set this attribute to either the domain name or IP address where the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The following table shows sample values and what they match.
Value |
Matches |
Does Not Match |
|---|---|---|
| * | All domains | |
| www.example.com | http://www.example.com, https://www.example.com |
http://example.com http://example.net |
| www.example.com:8085 | http://www.example.com:8085, https://www.example.com:8085 | http://www.example.com |
| *.example.com | http://a.example.com, https://a.example.com http://a.b.example.com, https://a.b.example.com http://example.com, https://example.com |
http://example.net |
| http://*.example.com | http://a.example.com http://a.b.example.com |
https://a.example.com |
| 127.0.0.1 | http://127.0.0.1 http://127.0.0.1:8080 http://127.0.0.1:80 |
http://localhost |
| 127.0.0.1:8080 | http://127.0.0.1:8080 | http://127.0.0.1 http://127.0.0.1:80 |
The value of the Codebase attribute must match the following items:
Otherwise, an error is shown and the RIA is not run. If the attribute is not present, a warning is written to the Java Console and the code base specified for the applet tag or JNLP file is used.
If you have a RIA that runs in the security sandbox and is expected to be accessed from mySamples.com, add the following attributes to the manifest:
Permissions: sandbox Codebase: mySamples.com
If the RIA is also available from samplesBackup.com:8080, include both domains for the Codebase attribute:
Codebase: mySamples.com samplesBackup.com:8080
For information on adding attributes to the JAR manifest file, see Modifying a Manifest File in the Java Tutorial.
