• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Webstart and directory security

 
Ranch Hand
Posts: 137
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys,

I'm really struggling to get this going.

Basically we have an application that uses web start. You log into the system using form based authentication in tomcat. The trouble is: web start doesn't seem to work using this authentication. It gives some error saying that the cached jnlp which internet explorer downloads temporarily, can't be found.

Basically, I'd like to have a single login. If you're logged into the website, you can use web start. If you're not, you're prompted to log in. Is this really as difficult as I think?

Any help is greatly appreciated.

Cheers,

Steve
 
Ranch Hand
Posts: 182
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

The Form based authentication caries an authentication cookie with each browser request in order to authenticate the user to the Web container. The problem with JWS access to protected jars is that JWS doesn't have the browser cookie so that to authenticate its requests.
Anyway what I would do is:
- ask for "confidential" transport when accessing the login page. This way the username & password will not be transferred in clear text
- protect the *.jnlp files by associating them with a security constraint which maps at least to "user" and ask for "confidential" transport so that the authentication cookie will not be sent in cler
- allow public access to the jars. You could still use https if you have jws1.3 or jws1.4

If you don't feel comfortable with public access you might try to make you own transfer and authentication handler. It should work but it might ask some time.

BR,
Cristian
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic