This is somewhat puzzling. Along the first lines of the ows-stage2.log there's positive evidence on whether OWS can access the user configuration:
[ITW-CORE][2023-10-17 20:28:08.538 CEST][DEBUG][net.sourceforge.jnlp.config.DeploymentConfiguration] Start DeploymentConfiguration.load()
[ITW-CORE][2023-10-17 20:28:08.563 CEST][INFO ][net.sourceforge.jnlp.config.DeploymentConfiguration] Loading USER level properties from: file:/C:/Users/csipak_attila/.config/icedtea-web/deployment.properties
[ITW-CORE][2023-10-17 20:28:08.567 CEST][DEBUG][net.sourceforge.jnlp.config.DeploymentConfiguration] End DeploymentConfiguration.load()
Later on, while the actual Java application is started up, there's a java.net.URL.openStream(URL) call. OWS was set up to use the System Proxy, which is actually a proxy.pac file. According to the proxy.pac rules, this exact URL should be reached by a direct connection. But In our case, this conclusion is not reached:
[ITW-CORE][2023-10-17 20:28:14.057 CEST][DEBUG][net.adoptopenjdk.icedteaweb.resources.ResourceTracker] Create resource for 'http://foo.bar.local/myJwsApp//NativeLib.jar'
[ITW-CORE][2023-10-17 20:28:14.057 CEST][DEBUG][net.adoptopenjdk.icedteaweb.resources.ResourceTracker] Prefetching resource NativeLib.jar
[ITW-CORE][2023-10-17 20:28:14.058 CEST][DEBUG][net.adoptopenjdk.icedteaweb.resources.ResourceHandler] Start processing resource: NativeLib.jar
[ITW-CORE][2023-10-17 20:28:14.058 CEST][DEBUG][net.sourceforge.jnlp.runtime.JNLPSecurityManager] Denying permission: ("java.io.FilePermission" "C:\Users\csipak_attila\.config\icedtea-web\deployment.properties" "read")
[ITW-CORE][2023-10-17 20:28:14.058 CEST][DEBUG][net.sourceforge.jnlp.runtime.JNLPSecurityManager] Denying permission: ("java.io.FilePermission" "C:\Users\csipak_attila\.config\icedtea-web\deployment.properties" "read")
[ITW-CORE][2023-10-17 20:28:14.058 CEST][DEBUG][net.sourceforge.jnlp.runtime.JNLPSecurityManager] Denying permission: ("java.io.FilePermission" "C:\Users\csipak_attila\.config\icedtea-web\deployment.properties" "read")
[ITW-CORE][2023-10-17 20:28:14.058 CEST][DEBUG][net.adoptopenjdk.icedteaweb.resources.ResourceHandler] Exception while processing resource 'NativeLib.jar'
[ITW-CORE][2023-10-17 20:28:14.059 CEST][DEBUG][net.adoptopenjdk.icedteaweb.resources.ResourceTracker] Download done. Shutting down executor
[ITW-CORE][2023-10-17 20:28:14.059 CEST][ERROR][net.adoptopenjdk.icedteaweb.resources.ResourceTracker]
Error while fetching resource http://foo.bar.local/myJwsApp//NativeLib.jar
java.lang.RuntimeException: Error while waiting for download
at net.adoptopenjdk.icedteaweb.resources.ResourceTracker.waitForCompletion(ResourceTracker.java:397)
at net.adoptopenjdk.icedteaweb.resources.ResourceTracker.getCacheFile(ResourceTracker.java:255)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getReadPermission(JNLPClassLoader.java:603)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.lambda$addNewJar$10(JNLPClassLoader.java:1543)
at java.security.AccessController.doPrivileged(Native Method)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.addNewJar(JNLPClassLoader.java:1542)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.addNewJar(JNLPClassLoader.java:1523)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.loadFromJarIndexes(JNLPClassLoader.java:1499)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.lambda$loadClass$8(JNLPClassLoader.java:1444)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader$ExceptionalSupplier.getResultOfCallOrNull(JNLPClassLoader.java:1405)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.loadClass(JNLPClassLoader.java:1448)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.Kit.classOrNull(Kit.java:88)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.NativeJavaPackage.getPkgProperty(NativeJavaPackage.java:154)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.NativeJavaPackage.get(NativeJavaPackage.java:105)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.NativeJavaTopPackage.init(NativeJavaTopPackage.java:129)
at sun.reflect.GeneratedMethodAccessor6.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptableObject.buildClassCtor(ScriptableObject.java:1018)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.LazilyLoadedCtor.buildValue(LazilyLoadedCtor.java:110)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.LazilyLoadedCtor.init(LazilyLoadedCtor.java:89)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptableObject.getImpl(ScriptableObject.java:1992)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptableObject.get(ScriptableObject.java:280)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.IdScriptableObject.get(IdScriptableObject.java:385)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptableObject.getProperty(ScriptableObject.java:1575)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptRuntime.topScopeName(ScriptRuntime.java:1748)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptRuntime.nameOrFunction(ScriptRuntime.java:1715)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptRuntime.name(ScriptRuntime.java:1657)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:3413)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.Interpreter.interpret(Interpreter.java:2484)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:162)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:401)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3003)
at net.adoptopenjdk.icedteaweb.shaded.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:160)
at com.openwebstart.proxy.pac.PacFileEvaluator.lambda$getProxiesWithoutCaching$0(PacFileEvaluator.java:191)
at java.security.AccessController.doPrivileged(Native Method)
at com.openwebstart.proxy.pac.PacFileEvaluator.getProxiesWithoutCaching(PacFileEvaluator.java:202)
at com.openwebstart.proxy.pac.PacFileEvaluator.getProxies(PacFileEvaluator.java:134)
at com.openwebstart.proxy.pac.PacBasedProxyProvider.select(PacBasedProxyProvider.java:30)
at com.openwebstart.proxy.windows.WindowsProxyProvider.select(WindowsProxyProvider.java:36)
at com.openwebstart.proxy.WebStartProxySelector.select(WebStartProxySelector.java:50)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1161)
at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1051)
at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1049)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1048)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:995)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1584)
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1504)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1502)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1501)
at java.net.URL.openStream(URL.java:1092)
at hu.foo.bar.MyJwsApp.<init>(MyJwsApp.java:112)
at hu.foo.bar.MyJwsApp.main(MyJwsApp.java:87)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:406)
at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:71)
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:660)
Caused by: java.util.concurrent.ExecutionException: java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\csipak_attila\.config\icedtea-web\deployment.properties" "read")
at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357)
at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1908)
at net.adoptopenjdk.icedteaweb.resources.ResourceTracker.waitForCompletion(ResourceTracker.java:394)
... 73 more
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\csipak_attila\.config\icedtea-web\deployment.properties" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:886)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:272)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at net.sourceforge.jnlp.config.DeploymentConfiguration.getProperty(DeploymentConfiguration.java:275)
at net.sourceforge.jnlp.config.InfrastructureFileDescriptor.getFullPath(InfrastructureFileDescriptor.java:122)
at net.sourceforge.jnlp.config.InfrastructureFileDescriptor.getFullPath(InfrastructureFileDescriptor.java:91)
at net.sourceforge.jnlp.config.PathsAndFiles$RECENTLY_USED_FILE_HOLDER$1.getFullPath(PathsAndFiles.java:87)
at net.sourceforge.jnlp.config.InfrastructureFileDescriptor.getFile(InfrastructureFileDescriptor.java:79)
at net.adoptopenjdk.icedteaweb.resources.cache.CacheIndexHolder.getCacheFile(CacheIndexHolder.java:117)
at net.adoptopenjdk.icedteaweb.resources.cache.CacheIndexHolder.lockCacheFile(CacheIndexHolder.java:67)
at net.adoptopenjdk.icedteaweb.resources.cache.CacheIndexHolder.getSynchronized(CacheIndexHolder.java:52)
at net.adoptopenjdk.icedteaweb.resources.cache.CacheImpl.getResourceInfo(CacheImpl.java:189)
at net.adoptopenjdk.icedteaweb.resources.cache.CacheImpl.isCached(CacheImpl.java:202)
at net.adoptopenjdk.icedteaweb.resources.cache.Cache.isCached(Cache.java:112)
at net.adoptopenjdk.icedteaweb.resources.cache.Cache.isCached(Cache.java:108)
at net.adoptopenjdk.icedteaweb.resources.initializer.UnversionedResourceInitializer.init(UnversionedResourceInitializer.java:27)
at net.adoptopenjdk.icedteaweb.resources.ResourceHandler.processResource(ResourceHandler.java:83)
at net.adoptopenjdk.icedteaweb.resources.ResourceHandler.process(ResourceHandler.java:69)
at net.adoptopenjdk.icedteaweb.resources.ResourceHandler.lambda$putIntoCache$0(ResourceHandler.java:44)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:750)
NativeLib.jar is added as a nativelib resource in the JNLP descriptor. No idea why PacFileEvaluator and pac-funcs.js thinks there's anything relevant to the pac.proxy evaluation in this exact native library. The fact that it is a native library (it contains .so .dll and *.dylib files in its root) seems to be related to the phenomenon. The bug also appears when it is added as a simple jar resource. Not sure what's special about this resource, but I think all JNLP resources should be absolutely separated from the pac.proxy parsing and evaluation process.
The next surprise comes when all this does not fail in the end because resource URL for NativeLib.jar is wrong. It fails because according to JNLPSecurityManager OWS has no read access to the user-level deployment.properties file. Yes, this is the same file that we actually processed a few seconds earlier according to the stage2 log. Probably the context changed in some way since then.
I managed to work around this issue by setting OWS deployment.proxy.type=0 aka no proxy in OWS settings. This way I can avoid pac.proxy parsing and all the mess described above. Since this is a viable workaround in my case, the fix is not urgent for me personally. I post this issue regardless, because it may provide some hints to others encountering a similar error and may also be interesting to the OWS developers.
This is somewhat puzzling. Along the first lines of the ows-stage2.log there's positive evidence on whether OWS can access the user configuration:
Later on, while the actual Java application is started up, there's a java.net.URL.openStream(URL) call. OWS was set up to use the System Proxy, which is actually a proxy.pac file. According to the proxy.pac rules, this exact URL should be reached by a direct connection. But In our case, this conclusion is not reached:
NativeLib.jar is added as a nativelib resource in the JNLP descriptor. No idea why PacFileEvaluator and pac-funcs.js thinks there's anything relevant to the pac.proxy evaluation in this exact native library. The fact that it is a native library (it contains .so .dll and *.dylib files in its root) seems to be related to the phenomenon. The bug also appears when it is added as a simple jar resource. Not sure what's special about this resource, but I think all JNLP resources should be absolutely separated from the pac.proxy parsing and evaluation process.
The next surprise comes when all this does not fail in the end because resource URL for NativeLib.jar is wrong. It fails because according to JNLPSecurityManager OWS has no read access to the user-level deployment.properties file. Yes, this is the same file that we actually processed a few seconds earlier according to the stage2 log. Probably the context changed in some way since then.
I managed to work around this issue by setting OWS deployment.proxy.type=0 aka no proxy in OWS settings. This way I can avoid pac.proxy parsing and all the mess described above. Since this is a viable workaround in my case, the fix is not urgent for me personally. I post this issue regardless, because it may provide some hints to others encountering a similar error and may also be interesting to the OWS developers.