Java Rich Internet Applications Guide > Security > Preventing RIAs from Being Repurposed
The following topics are covered:
The following attributes for the JAR file manifest were introduced in the JDK 7u25 release to defend RIAs against unauthorized code repurposing:
Permissions Attribute -Verifies that the RIA requests the permission level that you intended.
If this attribute is not present, it might be possible for an attacker to exploit a user by re-deploying an application that is signed with your certificate, and running the application at a different privilege level.
Codebase Attribute - Verifies that the RIA is run from the location that you intended.
If the Codebase attribute does not specify a secure server, such as HTTPS, some risk exists that your code could be repurposed in Man-in-the-Middle (MITM) attack schemes.
If you have a RIA that runs in the security sandbox and is expected to be accessed from https://example.com
, add the following attributes to the manifest:
Permissions: sandbox Codebase: https://example.com
If the RIA is also available from example.backup.com:8080
, include both domains for the Codebase
attribute:
Codebase: https://example.com example.backup.com:8080
See JAR File Manifest Attributes for Security for information on other manifest attributes that are available.
For information on adding attributes to the JAR file manifest, see Modifying a Manifest File in the Java Tutorial.