Open Adschge opened 4 years ago
If you open the OpenWebStart settings and select the menu entry "Security" you will find a checkbox "Asume local files belong to codebase".
By selecting this option you tell OWS that all files on your local hard drive should be considered as part of the code base. This is disabled by default as it disables the security check that all resources are from the same codebase...
Hi sclassen, thanks for your quick reply, but unfortunately this option had no effect. The error is still the same
Sorry for the wrong info. I took a look in the code. This thing is a little tricky.
The application contains some meta data wich enforces the check. You mention that you have limited possibilities to configure the jnlp file. So I assume you also cannot change the jar file.
So let us try something else: is the JNLP file reachable when connected to the VPN by a URL which satisfies the https://*/data/auth
rule?
You mention that you have limited possibilities to configure the jnlp file. So I assume you also cannot change the jar file.
Thats right, there's a link in the JNLP file to the JAR file URL.
The JNLP file is not reachable by a URL, because the user downloads it with a unique ID filled with his credentials. I think it would be helpful if you have a look at a downloaded JNLP file, regrettably i dont have much experience with handling JNLP files...
<jnlp
spec="1.0+"
codebase=""
href="xvpnc_1603353972.jnlp">
<information>
<title>***</title>
<vendor>***</vendor>
</information>
<resources>
<!-- Application Resources -->
<j2se version="1.6+"
href="http://java.sun.com/products/autodl/j2se" />
<jar href="https://***/data/auth/XvpnClientV2_3_4.jar" main="true" />
</resources>
<applet-desc
name="***"
main-class="XvpnClient"
width="600"
height="350">
<param name="userid" value="username" />
<param name="userpassword" value="hash" />
If I understand you correctly the process is as follows:
The user logs into some site and then gets a link to download a customized jnlp with his credentials included?
If this is the case you can try to change the protocol for downloading the jnlp from http(s)://
to jnlp(s)://
.
By doing so the url is passed directly to OWS without first saving the file to disc.
The user logs into some site and then gets a link to download a customized jnlp with his credentials included?
Nearly right, the problem is that it is not some site, this is our external firewall adress. The firewall provide the webserver for authentification, jnlp generation and jnlp download.
If this is the case you can try to change the protocol for downloading the jnlp from
http(s)://
tojnlp(s)://
. By doing so the url is passed directly to OWS without first saving the file to disc.
I also tried to simulate this on my host, the error persists
netx: Initialization Error: Could not initialize applet. (The resources [http://localhost/data/auth/xvpnc_1603348084.jnlp] do not match the location in Application-Library-Allowable-Codebase Attribute https://*/data/auth . Blocking the application from running.)
Is it possible for me to change the Application-Library-Allowable-Codebase Attribute in some way?
The allowable code base is specified in the MANIFEST.MF file which is included in the jar file of the application.
You can use a normal zip program to extract and re-package the jar.
I changed the attribute for Application-Library-Codebase to * Now i get the following error
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: A fatal error occurred while trying to verify jars. An exception has been thrown in class JarCertVerifier. Being unable to read the cacerts or trusted.certs files could be a possible cause for this exception.: Error in verify jar C:\Users\***\.cache\icedtea-web\cache\0\6\XvpnClientV2_3_4.jar
I added deployment.security.level=ALLOW_UNSIGNED to deployment.properties and changed the MANIFEST.MF attribut "Trusted-Only" to false but the error persists
In the log files there should be more details about the root cause of the exception. Can you either attach the log file or at least post the stacktrace. Look for the String "Error in verify jar" to find it quickly
Hi Everybody, Im trying to replace our usage from JRE to OpenWebStart in our Company. A User who wants to join our Network via VPN connect to our Firewall, authentificate and download a jnlp File. When they run this file they should see an overview of our Terminalservers and choose theyre desired one. But im stuck at this Error:
Caused by: net.sourceforge.jnlp.LaunchException: The resources [file:/C:/Users/****/Downloads/xvpnc_1603353972.jnlp] do not match the location in Application-Library-Allowable-Codebase Attribute https://*/data/auth . Blocking the application from running.
I dont have any possibilities to configure the jnlp File from the Firewall.Environment: Win10, OpenWebStart 1.2.2