Security ConstraintsSecurity ConstraintsThe JavaHelp System libraries might encounter the following security restrictions when used within the confines of a SecurityManager (such as is imposed for Java Web Start apps.). The restrictions can be relaxed by requesting extended permissions within the JNLP file - if the user (or their system) refuses the extended permissions, the app. will not make it to screen.
| Permissions | sandboxed | j2ee-app-client | all |
|---|---|---|---|
| Use 'favorites' for HelpSets. | no | no | yes |
Access 'unsafe' properties (e.g. user.dir/user.home).
This seems to apply only to jhall.jar, which is used by a variety of CLI based
applications.
|
no | no | yes |
| Establish new classloader | no | no | yes |
File access (JFileChooser/File)
|
no | no | yes |
File access (FileOpenService/FileContents)
|
prompted | yes | yes |
| Access URLs from foreign hosts | prompted * | yes | yes |
| Access print services | prompted * | yes | yes |
Suppress Java Application Window banner on root level
(frame, dialog, window, pop-up..) containers.
|
no | yes | yes |
| Always makes it to screen. Not potentially blocked by end-user or their system. ** | yes | no | no |
* The 'prompted' access to foreign URLs and printing has been tested in Java 1.6 for Win based machines, but not in earlier versions or on other platforms.
** Users will usually be prompted to run JNLP descriptors that call for extended permissions.
The sudden appearance of a dialog asking for 'full access' can make some users hesitate to proceed. It is best to forewarn the user that the help will prompt for extended permissions, and the reasons for doing so '..these help files require extended access, so the help system can remember your favorites!'.
Note that word 'usually'. This alludes to the fact the the Plug-In might be configured (by the end-user, or their System Administrator) to refuse extended priviliges, or extended priviliges where the code is signed using an invalid security certificate or a certificate that was not verified by a CA (e.g. self-signed security certificates). This is not how Java comes 'out-of-the-box', but expect some systems to have limits to the privileges that will be granted to Java code.
For these reasons, it is a good idea to offer a fully sandboxed JNLP launch for the help right alongside the versions that require extended permissions, if at all possible.
These pages represent a project aimed at getting JWS hosting of JavaHelp, at the JavaHelp home site. They are made in the form they might eventually appear at the JavaHelp site, and as such, sometimes give false or misleading information.
Note to JavaHelp content developers:
Remove this message from src/conf/fragments/html.page.bottom.htmlf
before generating the build for the JavaHelp site proper!
JavaHelp ® TM of
Sun Microsystems, Inc.
JWS deployment/web pages brought to you by
Andrew Thompson of
PSCode.org.