Web start security

[Guruprasad Ramarao <prasadg75 () yahoo com>]

Hi,
I am working on a project to convert/migrate an existing web application to use java web start technology.(one of the 
reason for migration is to remove extensive use of javascript in web application and use java instead)
Web-application was password protected with JAAS login module and also access to the same was over https.
Is there a mechanism to provide similar security in Java web start?
I am aware of code signing, this will provide authenticity to the jar file downloaded and also ensure the jar files 
dont(hopefully this is the case) get tampered on client box.
Are there any mechanism of providing password protection for web start application?
I tried putting JNLP in web application and configured web.xml to protect the same, but this fails, i hit with 'missing 
tag exception:<jnlp>'. 
Also are there any security vulnerabilities using java web start technology? 


-
Thanks,
Gp