Continue Browser Session in JNLP

Stauz picture Stauz · May 1, 2013 · Viewed 9.1k times · Source

We have basic authentication enabled on Tomcat6. User is authenticated in browser and then JNLP is launched to launch application in Java Web Start. On start-up, java web start tries to download jar files from server but it is not using the same session which is already authenticated by browser. Based on forums I have tried to pass session id in JNLP by using sid property as well as be appending in URL. Environment is restricted so each and every request needs to be authenticated we cannot say to exclude requests for jar file not being authenticated. Below is my JSP creating JNLP file, can anyone please help how can we continue same session to download jars which is already authenticated by Browser.

<% response.setContentType("application/x-java-jnlp-file"); %>
<%= "<?xml version=\"1.0\" encoding=\"utf-8\"?>" %>
<!-- JNLP File for SimpleTableDemo -->
<%
String baseURL = request.getRequestURL().toString().replace(request.getRequestURI(), request.getContextPath());
%>
<jnlp codebase="<%=baseURL%>">

    <information>
        <title>Simple Table Demo Application</title>
        <vendor>Try</vendor>
        <description>SimpleTableDemo</description>
        <description kind="short">An application that demonstrates a simple table.</description>
    </information>

    <resources>
        <j2se version="1.6+" />
        <property name="sid" value="<%=request.getSession().getId()%>" />
        <property name="serviceHost" value="<%=request.getServerName()%>"/>
        <property name="servicePort" value="<%=request.getServerPort()%>"/> 
        <jar href="AuthenticateJNLPJars.jar;JSESSIONID=<%=request.getSession().getId()%>" />
    </resources>

    <application-desc main-class="SimpleTableDemo" >
    </application-desc>
</jnlp>

Answer

Argod picture Argod · Sep 26, 2014

I now have (some) answers....

I realize that this question is a year old, but since it`s the first result on google when searching for this issue I figured it was a good idea to complete it.

There is one problem with the jnlp code that you provided, but first, you have to check if adding the cookie to the url would actually work..... and that depends on your app deployment configuration.

I do not know how it is on Tomcat... I am using weblogic, and in it you have to check in weblogic.xml the following property

 <session-descriptor>
      <url-rewriting-enabled>true</url-rewriting-enabled>
 </session-descriptor>

This means that, if available, weblogic will get the session id from the URL (using the same format that you have in your code)

If it is false, then this solution will not work and you will have to send a cookie with the session id in each request.... and if you found a way to do to that PLEASE respond.... it would help me a lot.

now, if url-rewriting-enable is true, then this approach will work once you fix the following problem in your script.

The problem is that, once java web start gets the jnlp from the browser, it will download it again from the server, so you have to make sure that you add the session id to that request also. you do that by modifiing the initial tag like this:

<jnlp spec="1.0+" codebase="<%=baseURL%>" href="<%=NAME_OF_JNLP%>;JSESSIONID=<%=SESSION_ID%>"> 

And that is it, the code should work...

by the way, the properties that you added:

<property name="sid" value="<%=request.getSession().getId()%>" />
<property name="serviceHost" value="<%=request.getServerName()%>"/>
<property name="servicePort" value="<%=request.getServerPort()%>"/> 

are not relevant to this, you can delete them and the code will still work.