Skip to main content

local jnlp overrules server!?! Security?

2 replies [Last post]
Joined: 2009-07-22


i deploy my app with jws and i want to restrict some customers to specific version numbers.

at the beginning every customer had the same jar to download:

now i tried to change the jnlp on the server to something like:

if i dont touch the client jnlp, it will always download the first version without version number.
i tried to delete my jws cache and set up a new jnlp, which was different to the one on the server. just like the example above.
1st startup: it "correctly" loaded the jar, that ist defined in the server-jnlp (xyz-3.2.jar)
2nd startup: it loaded the jar that was defined in the local jnlp!

i don't think, that this is correct, but i didnt find a way to force a specific download, if i couldnt change the local jnlp.

can someone please tell me, if this is intended to be this way. or is it a bug - a security vulnerability. or is there some other way to only change a server jnlp and overrule the local one.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Joined: 2007-04-18

Can you post the entire JNLP file so that I can help you?

Joined: 2009-07-22

ok, here is an example:



the jnlp on the server looks something like this. i download this one to a local pc and execute it. everything work fine.
but if i want to restrict a customer to a specific version, it is not working. it tried to change the jar element to "". but jws loaded the jar that is defined in the local jnlp.

my question is, if this is intended to be this way?

now, that i know it works this way, i even use this "feature" to show customers testversions. i only change their local jnlp when i visit them, an change it back when i leave them. works great.

but my problem is, that i can't force them to download a specific version, if i don't change their local jnlp. or is there any other way?