It's not a secret anymore!
The moose likes JNLP and Web Start and the fly likes Webstart and directory security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JNLP and Web Start
Bookmark "Webstart and directory security" Watch "Webstart and directory security" New topic

Webstart and directory security

Steve Wood
Ranch Hand

Joined: Jan 08, 2003
Posts: 137
Hi guys,

I'm really struggling to get this going.

Basically we have an application that uses web start. You log into the system using form based authentication in tomcat. The trouble is: web start doesn't seem to work using this authentication. It gives some error saying that the cached jnlp which internet explorer downloads temporarily, can't be found.

Basically, I'd like to have a single login. If you're logged into the website, you can use web start. If you're not, you're prompted to log in. Is this really as difficult as I think?

Any help is greatly appreciated.


Cristian Negresco
Ranch Hand

Joined: Sep 15, 2001
Posts: 182

The Form based authentication caries an authentication cookie with each browser request in order to authenticate the user to the Web container. The problem with JWS access to protected jars is that JWS doesn't have the browser cookie so that to authenticate its requests.
Anyway what I would do is:
- ask for "confidential" transport when accessing the login page. This way the username & password will not be transferred in clear text
- protect the *.jnlp files by associating them with a security constraint which maps at least to "user" and ask for "confidential" transport so that the authentication cookie will not be sent in cler
- allow public access to the jars. You could still use https if you have jws1.3 or jws1.4

If you don't feel comfortable with public access you might try to make you own transfer and authentication handler. It should work but it might ask some time.

I agree. Here's the link:
subject: Webstart and directory security
It's not a secret anymore!