javacookiesjava-web-startjnlpjava-ws

Pass cookie from JNLP to JAVAWS to download protected resources


I have a setup where I obtain protected JNLP via browser, and JNLP saves the authentication cookie as a property. Then javaws is run with the jnlp file. The jnlp requires protected resources, so I need to pass the authentication cookie to the javaws process, so it can use it when downloading the resources... How can I pass the auth cookie to javaws process?

I've checked all parameters available to javaws and JNLP but I couldnt find how this can be done.

Is this even possible?


Solution

  • I think I found solution. Java Web Start uses the same cookie store as Internet Explorer - see comments in here to see how IE persistent cookies are harvested by JavaWebStart application.

    To get this to work, I developed following:

    1. JNLP and jars are protected
    2. Access JNLP via IE - this will redirect you to login page where you log in and obtain authentication cookies
    3. In your Web server have a servlet that intercepts the authentication cookie, make it persistent and add it to response

      public class CookieServlet extends org.springframework.web.servlet.mvc.AbstractController {
      ...
          protected ModelAndView handleRequestInternal(final HttpServletRequest req,
                                               final HttpServletResponse resp) throws Exception {
              ....
              Cookie[] cookies = req.getCookies();
              String session = null;
              if (cookies != null) {
                  for (Cookie cookie : cookies) {
                      if (cookie.getName().equals("AUTHSESSION")) {
                          session = cookie.getValue();
                          break;
                      }
                  }
              }
      
      
              if(null!=session) {
                  Cookie cookie = new Cookie("AUTHSESSION", session);
                  cookie.setMaxAge(<specify cookie age>);
                  resp.addCookie(cookie);
              }
              ...
          }
      
    4. Now launch your jnlp via cmd.exe - you can access the resources without issues as it harvests cookies from IE cookie store

    Note: if your authentication supports auth session token being passed as a parameter then you could also extend jnlp "jar" tag to include the AUTHSESSION value i.e.

    <jar href="your_jar.jar?AUTHSESSION=<session value>"/>
    

    For us this is not the case and the auth session must be provided as a cookie.