javaapplettomcat7jnlpnext-generation-plugin

Applet stopped working with a JNLP MissingFieldException <jnlp>

I have an applet which was running 1/2 year ago. Now i needed to 'reactivate' it however for an unknown reason it is not working anymore. Here are the specs:

This is the error I get:

MissingFieldException[ The following required field is missing from the launch file: <jnlp>]
at com.sun.javaws.jnl.XMLFormat.parse(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.initialize(Unknown Source)
at sun.plugin2.main.client.PluginMain.initManager(Unknown Source)
at sun.plugin2.main.client.PluginMain.access$200(Unknown Source)
at sun.plugin2.main.client.PluginMain$2.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Error while initializing manager: MissingFieldException[ The following required field is missing from the launch file: <jnlp>], bail out

What I tried/suspected so far:

  1. Something oracle introduced with security update 7u17, 7u21 or 7u25. However I tried all JREs from 7u25 down to 7u0 it didn't help. Also tried 6u51 down to 6u22 which I am sure did work before.
  2. Something Mozilla or Google introduced in their effort to increase the security of their browsers in combination with the java plugin. Tried various older browser versions - no success. However then I tried the IE10 and it is working ?!
  3. Analyzed the JNLP file (also with JaNeLa) but since it did work before and works in IE10 it can't be the JNLP. It seems that the plugin doesn't even come to analyzing the JNLP.

Any ideas?

Solution

  • After nearly spending two days on that problem I figured it out, hopefully helping others with that. The explanation:

    1. My applet runs in the context of a protected web application where a user needs to login with a form login first.
    2. After doing so, a session cookie is created and sent back to the client/browser.
    3. Since I switched from tomcat 6 to tomcat 7 the useHttpOnly policy for cookies is enabled by default which was disabled for all tomcat versions prior tomcat 7. The HttpOnly flag instructs browsers to prevent access to those cookies from JavaScript/Plugins (security reasons e.g. cross site scripting etc).
    4. Now since the java plugin couldn't access the cookie it didn't sent it to the server when requesting the JNLP file.
    5. the server returns the loginpage for all unauthorized request.
    6. Last but not least the JNLP parser was looking for the <jnlp> structure and couldn't find any - so the above error was generated.

    So how can that be prevented?

    1. Disable the useHttpOnly flag in tomcat globally
    2. Disable the useHttpOnly flag for a webapplication (which I did). To do that add a context.xml file in the META-INF of your webappication which contains the following line
      <Context path="/" cookies="true" useHttpOnly="false"/>

    Now why the IE10 seems to ignore the httponly flag is a open question i can live with ;-)