Basically we have an application that uses web start. You log into the system using form based authentication in tomcat. The trouble is: web start doesn't seem to work using this authentication. It gives some error saying that the cached jnlp which internet explorer downloads temporarily, can't be found.
Basically, I'd like to have a single login. If you're logged into the website, you can use web start. If you're not, you're prompted to log in. Is this really as difficult as I think?
The Form based authentication caries an authentication cookie with each browser request in order to authenticate the user to the Web container. The problem with JWS access to protected jars is that JWS doesn't have the browser cookie so that to authenticate its requests. Anyway what I would do is: - ask for "confidential" transport when accessing the login page. This way the username & password will not be transferred in clear text - protect the *.jnlp files by associating them with a security constraint which maps at least to "user" and ask for "confidential" transport so that the authentication cookie will not be sent in cler - allow public access to the jars. You could still use https if you have jws1.3 or jws1.4
If you don't feel comfortable with public access you might try to make you own transfer and authentication handler. It should work but it might ask some time.