Recently we had a security audit which spotted a vulnerability in our system.
We have a custom very simple webserver which we use for serving resources (html help files, images, jar files)
The application we have is a java Webstart one, the jnlp is generated on the server and when loaded in browser it calls our webserver for downloading the jar files it needs for the application. At the end, when the application starts the login screen is prompted to the user.
But you can type in the browser and be able to download any of the jars the jnlp does behind the scene and this fact is regarded as a security vulnerability. The main concern is that a non-authenticated user can access our jar files without having a valid account.
My question would be:
1. is the security vulnerability claim justified since the jar file need to reach the client machine before the login screen
2. if the concern is justified how can I secure the access to the application jar files?
Thank you –
Marius
Without knowing what you are ultimately trying to protect, I don’t know if exposing the JNLP resources is a security vulnerability. However, if you absolutely need to restrict access to JNLP resources to authenticated users, I believe you could conduct the whole Java Web Start session over SSL with mutual authentication. Of course, this means certificate exchange and installation for both parties.