search

karakun / OpenWebStart

Run Web Start based applications after the release of Java 11
https://openwebstart.com
Other
420 stars 48 forks source link

Application-Library-Allowable-Codebase Error #339

Open Adschge opened 4 years ago

Adschge commented 4 years ago

Hi Everybody, Im trying to replace our usage from JRE to OpenWebStart in our Company. A User who wants to join our Network via VPN connect to our Firewall, authentificate and download a jnlp File. When they run this file they should see an overview of our Terminalservers and choose theyre desired one. But im stuck at this Error: Caused by: net.sourceforge.jnlp.LaunchException: The resources [file:/C:/Users/****/Downloads/xvpnc_1603353972.jnlp] do not match the location in Application-Library-Allowable-Codebase Attribute https://*/data/auth . Blocking the application from running. I dont have any possibilities to configure the jnlp File from the Firewall.

Environment: Win10, OpenWebStart 1.2.2

sclassen commented 4 years ago

If you open the OpenWebStart settings and select the menu entry "Security" you will find a checkbox "Asume local files belong to codebase".

By selecting this option you tell OWS that all files on your local hard drive should be considered as part of the code base. This is disabled by default as it disables the security check that all resources are from the same codebase...

Adschge commented 4 years ago

Hi sclassen, thanks for your quick reply, but unfortunately this option had no effect. The error is still the same

sclassen commented 4 years ago

Sorry for the wrong info. I took a look in the code. This thing is a little tricky.

The application contains some meta data wich enforces the check. You mention that you have limited possibilities to configure the jnlp file. So I assume you also cannot change the jar file.

So let us try something else: is the JNLP file reachable when connected to the VPN by a URL which satisfies the https://*/data/auth rule?

Adschge commented 4 years ago

You mention that you have limited possibilities to configure the jnlp file. So I assume you also cannot change the jar file.

Thats right, there's a link in the JNLP file to the JAR file URL.

The JNLP file is not reachable by a URL, because the user downloads it with a unique ID filled with his credentials. I think it would be helpful if you have a look at a downloaded JNLP file, regrettably i dont have much experience with handling JNLP files...

<jnlp
    spec="1.0+" 
    codebase=""
    href="xvpnc_1603353972.jnlp">
    <information>
        <title>***</title>
        <vendor>***</vendor>
    </information>
    <resources>
        <!-- Application Resources -->
        <j2se version="1.6+"
            href="http://java.sun.com/products/autodl/j2se" />
        <jar href="https://***/data/auth/XvpnClientV2_3_4.jar" main="true" />
    </resources>
    <applet-desc
        name="***"
        main-class="XvpnClient"
        width="600"
        height="350">
        <param name="userid" value="username" />
        <param name="userpassword" value="hash" />
sclassen commented 4 years ago

If I understand you correctly the process is as follows:

The user logs into some site and then gets a link to download a customized jnlp with his credentials included?

If this is the case you can try to change the protocol for downloading the jnlp from http(s):// to jnlp(s)://. By doing so the url is passed directly to OWS without first saving the file to disc.

Adschge commented 3 years ago

The user logs into some site and then gets a link to download a customized jnlp with his credentials included?

Nearly right, the problem is that it is not some site, this is our external firewall adress. The firewall provide the webserver for authentification, jnlp generation and jnlp download.

If this is the case you can try to change the protocol for downloading the jnlp from http(s):// to jnlp(s)://. By doing so the url is passed directly to OWS without first saving the file to disc.

I also tried to simulate this on my host, the error persists

netx: Initialization Error: Could not initialize applet. (The resources [http://localhost/data/auth/xvpnc_1603348084.jnlp] do not match the location in Application-Library-Allowable-Codebase Attribute https://*/data/auth . Blocking the application from running.)

Is it possible for me to change the Application-Library-Allowable-Codebase Attribute in some way?

sclassen commented 3 years ago

The allowable code base is specified in the MANIFEST.MF file which is included in the jar file of the application.

You can use a normal zip program to extract and re-package the jar.

Adschge commented 3 years ago

I changed the attribute for Application-Library-Codebase to * Now i get the following error

Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: A fatal error occurred while trying to verify jars. An exception has been thrown in class JarCertVerifier. Being unable to read the cacerts or trusted.certs files could be a possible cause for this exception.: Error in verify jar C:\Users\***\.cache\icedtea-web\cache\0\6\XvpnClientV2_3_4.jar

I added deployment.security.level=ALLOW_UNSIGNED to deployment.properties and changed the MANIFEST.MF attribut "Trusted-Only" to false but the error persists

sclassen commented 3 years ago

In the log files there should be more details about the root cause of the exception. Can you either attach the log file or at least post the stacktrace. Look for the String "Error in verify jar" to find it quickly