3

I developed a Java Web Start app that lies on a web server based on HTTP security. Once I log in to the web-page for launching my Java Web Start application, the app is asking me again to authenticate, and even if I tick the "save this password to the password list" it is prompting again this authentication dialog.

If I am not wrong, this is because it's trying to access the other jars.

I was wondering if there is a way for defining or passing the authentication username and password automatically to get rid of this annoying "feature"

Thanks for your help

Mallinok
  • 61
  • 1
  • 4

2 Answers2

2

No. You must authenticate to the server to access the application, and you must authenticate to the client to allow <all-permissions/>. Accepting the proffered certificate in the manner provided by your client's operating system should preclude repeated requests for credentials. For reference, this example is signed but requires no <security>.

trashgod
  • 203,806
  • 29
  • 246
  • 1,045
  • What is unclear to me is why the Java Web Start is asking the web server authentication, shouldn't it ask just for the user to accept the certificate? – Mallinok Aug 09 '11 at 13:59
  • Ah, JWS has to check the server for updates; `` might help. As the JARs are signed, why not serve the application via `http`? It would be faster, too. – trashgod Aug 09 '11 at 14:10
  • Uh ok, the offline-allowed has been set already, is there a walkaround to avoid looking for updates? The reason is that I want to grant the access to that application only to authenticated users – Mallinok Aug 09 '11 at 14:21
  • Maybe with the version attribute? – Mallinok Aug 09 '11 at 14:24
2

Probably because the User-Agent HTTP request header is not the same.

When you browse to your Web Start page, your browser sends a request to the HTTP server with User-Agent: whatever browser you are using

When the JRE requests the JARs to be downloaded from the HTTP server, it sends a request with User-Agent: whatever java version you are using

From the perspective of the HTTP server, these are 2 distinct clients and therefore you are prompted twice for credentials.

Pierre Ernst
  • 514
  • 3
  • 7
  • If that's the case, is it possible to pass the authentication parameters from one agent to the other? – Mallinok Aug 09 '11 at 14:34
  • It would be fine for me also to hardcode the username and password, but what System property should I set? – Mallinok Aug 09 '11 at 14:36
  • 1
    @Mallinok: you could configure all the URLs in the jnlp file with something like that: http://user:password@my-server.com/file.jar, but remember that anyone would be able to see your credentials by downloading the jnlp file. This is not recommended. Why not hosting the jar files outside the password protected folder ? – Pierre Ernst Aug 09 '11 at 14:43
  • humm I tried to add the user:password but seems it's not working... isn't that the httpS URL? I am running under a basic HTTP security.
    The thing is I don't want the jar to be accessible either.. I've been spending hours looking for how to automatically set the username and password to the javaws authentication frame but found nothing     – Mallinok Aug 09 '11 at 15:06
  • @PierreErnst Along the same lines you can dynamically generate the JNLP file and store the username/password property in there. I did this in a previous project, but in the version of Java I was using at the time, the javaws executable would fabricate a java command and put all the properties on the command line (-Dusername=... -Dpassword=...). Since most of my users are on Linux, you can then log in to their computer and use the "ps" command to see their password... So that wasn't the best idea I ever had. But I don't know that javaws still generates a java command in this way. – Paul Oct 29 '13 at 13:40