0 Replies Latest reply on Oct 3, 2013 8:56 PM by chrisbitmead

    Tricky web authorization problem (web start)

    chrisbitmead

      I've got an app that has a Java web start application. If you don't know, web start is a Java program that downloads apps from web sites and automatically checks for updates.

       

      The problem is, if you use no authorisation, anybody can download the app from the internet, which the security folks here aren't too happy about.

       

      But if we use security, Java web start asks for user name and password every time you start the app, so it can check the web for updates .... so it drives the users crazy.

       

      OK, so web start is stupid, but as a work around, I've seen that some people put cookies into the response when the JnlpDownloadServlet sends an app to people. Java Web Start is happy to store and return the cookie. So I could put user name and password in the cookie. Then in theory, something on the server could authorize the user via the cookies the subsequent occasions.

       

      So ignore for a moment the security wisdom of putting a username and password in the cookie. How can I get it to work with JBoss security?

       

      If I set authorization on the servlet in the normal manner, it won't check the cookie, and it will be rejected.

       

      On the other hand if I leave no security on the servlet, then it will never ask for user name and password, not even the first time, thus I won't get the info, and I won't be able to set the cookie.

       

      I browsed around at JBoss custom authentication modules, but as far as I see, they only are custom methods for deciding if a user name and password are valid, rather than having any means to access the cookies to get username and password, rather than the normal means of popping up a dialog box to the user.

       

      And as a further problem, unless I'm missing something, even if the user is logged into the site and accesses my servlet, it doesn't even get an Authorization header so I can check the username, if the servlet doesn't have any restrictions on it. So I can't even get them to login via one restricted servlet, then redirect them to my unrestricted servlet to try and handle stuff there.

       

      I could I guess, just forget container authorization and try and do everything in my servlet for this task. But that's not ideal because (a) Java Web Start can't even prompt for username and password the first time unless it uses regular authentication and (b) They'd have to enter username and password in different ways on our web site, which wouldn't be ideal either.

       

      Can anybody give me any advice?