This section describes the basics of security for applications deployed through Java Web Start and includes:
Applications launched with Java Web Start are, by default, run in a restricted environment, known as a sandbox. In this sandbox, Java Web Start:
Unsigned JAR files launched by Java Web Start remain in this sandbox, meaning they cannot access local files or the network. See Security in Rich Internet Applications for information.
httpshandler, using the
java.protocol.handler.pkgssystem properties, to initialize defaults for the
HostnameVerifier. It sets the defaults with the methods
If your application uses these two methods, ensure that they are invoked after the Java Web Start initializes the
https handler, otherwise your custom handler will be replaced by the Java Web Start default handler.
You can ensure that your own customized
HostnameVerifiter are used by doing one of the following:
httpshandler, to replace the Java Web Start
httpshandler. For more information, see the document A New Era for Java Protocol Handlers.
HttpsURLConnection.setDefaultHostnameVerifieronly after the first
https URLobject is created, which executes the Java Web Start
httpshandler initialization code first.