Author Archives: Java tuner

Firefox warning for Java plugin

Web Start of unsigned Java apps: .NET to the rescue

Have you already signed your Java applets with a trusted authority certificate? You know you will have to.

Why sign?

This is supposed to provide “numerous security benefits to users”, according to Oracle. Indeed, if someone used to just visit a “get-rich-quick” site, and to unknowingly start a hidden malicious Java applet, now they will have to confirm that that they knowingly agree to start an applet provided by officially registered “get-rich-quick Pty Limited”.

As for you and me, as publishers of Java applets, how will it protect our good names? Well, the bad guys will not be able intercept our software and add their viruses to it – unless they want to use their own certificate to sign it with. This is the code repurposing which Oracle aims to prevent. One can argue that the same could be achieved by simply requiring the applets to be delivered only via secured protocol. And it would be cheaper too, for us. Some people even are questioning if all this exercise with certificates can achieve much at all…

Oracle used to tell us that “For applets and JNLP applications the best approach is often to leave the jar files unsigned. The application then runs in a sandbox and will not be able to execute any potentially dangerous code” in its Secure Coding Guidelines. Well, no more…

But for now, while you are busy collecting documents for the trusted authority to sell you the code signing certificate, why not have some fun, and see if we can deploy a Java application without help of Java Web Start. Continue reading

Sample WSDL files for WebLogic Web Services

WebLogic application server provides a vast set of policies, which allow developers to configure various aspects of Web Service behaviour: from supported message security to user authorisation rules. It all goes smoothly when you stay in Oracle space: JDeveloper integrates with your server, server integrates with…

And here you may stumble: in B2B world, the other party may well be coming from some other smooth operator. Of cause, Web Services are based on well documented standards, but how easy would it be to exactly match a set of Oracle policies to, let’s say, Microsoft WCF configuration?

To help with such tasks, we show samples of WSDL files produced by WebLogic server under a number of different security policies. Continue reading