The Java Tutorials have been written for JDK 8. Examples and practices described in this page don't take advantage of improvements introduced in later releases and might use technology no longer available.
See Java Language Changes for a summary of updated language features in Java SE 9 and subsequent releases.
See JDK Release Notes for information about new features, enhancements, and removed or deprecated options for all JDK releases.
This section describes the basics of security for applications deployed through Java Web Start and includes:
Applications launched with Java Web Start are, by default, run in a restricted environment, known as a sandbox. In this sandbox, Java Web Start:
Sandbox applications that are launched by Java Web Start remain in this sandbox, meaning they cannot access local files or the network. See Security in Rich Internet Applications for information.
Java Web Start dynamically imports certificates as browsers typically do. To do this, Java Web Start sets its own https
handler, using the java.protocol.handler.pkgs
system properties, to initialize defaults for the
SSLSocketFactory
and
HostnameVerifier
. It sets the defaults with the methods
HttpsURLConnection.setDefaultSSLSocketFactory
and
HttpsURLConnection.setDefaultHostnameVerifier
.
If your application uses these two methods, ensure that they are invoked after the Java Web Start initializes the https
handler, otherwise your custom handler will be replaced by the Java Web Start default handler.
You can ensure that your own customized SSLSocketFactory
and HostnameVerifiter
are used by doing one of the following:
https
handler, to replace the Java Web Start https
handler.HttpsURLConnection.setDefaultSSLSocketFactory
or HttpsURLConnection.setDefaultHostnameVerifier
only after the first https URL
object is created, which executes the Java Web Start https
handler initialization code first.