On 08/07/2012 11:21 AM, Camille Bégnis wrote: > On 07/08/2012 09:26, Hussein Shafie wrote: >> On 08/06/2012 04:35 PM, Camille Bégnis wrote: >>> >>> we embed XXE as an applet, and all resources are secured thanks to HTTP >>> authentication. >>> So this is what our user goes through: >>> 1) Web application authentication to connect to our Web interface >>> 2) when clicking on the link to our applet, java asks for authentication >>> to access the JNLP >>> INFO: 2012-08-06 14:18:46 127.0.0.1 - 127.0.0.1 9002 GET >>> /workspaces/NeoDoc/xxe/applet/xxe.jnlp t=1344255523473 401 424 0 1 >>> http://localhost:9002 Mozilla/4.0 (Linux 3.3.6-desktop-2.mga2) >>> Java/1.7.0_05 - >>> 3) when opening the file through webdav, XXE asks for a third >>> authentication. >>> >>> We already succeeded in removing the latter, >> >> My guess is that you have used the "-auth" command-line option for 3). > > Yes indeed, thanks to your help. > >>> do you see any mean to remove the second? >>> >> >> I'm sorry but we have no experience in removing 2), as this is not >> directly related to our product. >> >> May be I'm naive but I wonder why you don't simply serve xxe.jnlp and >> all the signed jars from an area of your HTTP server where access is >> not controlled. > > Well, we are reluctant to offer XXE for free to the world...
Thanks! > Does anyone on this list has another solution to propose? > > Though that's an option for a server behind a firewall. > If the ``public'' directory containing xxe.jnlp and all the signed jars has no index option and if the filenames of xxe.jnlp and all the signed jar files are mangled (e.g. xxe56x7az45.jnlp, xxe56x7az45.jar), I wonder how someone which is not one of your customers (that is, who has no access to the HTML page embedding the applet and hence, pointing to xxe56x7az45.jnlp) could obtain a copy of xxe jars. -- XMLmind XML Editor Support List [email protected] http://www.xmlmind.com/mailman/listinfo/xmleditor-support
