Security Problem in Web Start?
My reading of the Java Web Start documentation says that only system properties that are set in the JNLP are passed into the application, EXCEPT for those properties that start with the prefix "javaws". This makes sense because it should prevent a user from starting a web start app from the command-line and passing any old argument to the VM. The JNLP, hence application author, therefore defines the non-secure properties that are passed.
However, it is trivial for a user to download the JNLP file from the server and edit it at will. The user can then launch the web start application by running the newly edited JNLP file. This is the part I don't understand. If the user can edit the JNLP and add/remove/change system properties then why does Sun even define the 'secure' "javaws." property prefix in the first place? Am I missing something? Is there a flag I can set on the server application to prevent a client from running with a modified JNLP file?
Thank You,
Eric
