5

I have problem with a Java Applet that I can't get to send the proper cookie. The flow is as follows:

Web sequence flow

Without the crossdomain.xml file on port 80 the Applet just refuses to do any CORS request at all but with the crossdomain-file the requests comes through BUT without any cookies. However the client certificate is sent in the request.

It is also worth mentioning that the JNLP is downloaded from the same domain as the REST interface which should allow Java to communicate with that domain.

How can I make Java make the REST requests using cookies. The session cookie does not have HTTP_ONLY or Secure flag enabled.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Martin K
  • 782
  • 7
  • 13

1 Answers1

0

Since the Java 6 Update 10 release (2008-10-15), unsigned applets can now make network connections to remote servers (servers that are different from the server that hosts the applet) using a special XML file called crossdomain.xml file. That file must be accessible on the server that the applet is trying to connect to.

You have to sign your applet, to make crossdomain requests.

Mikhail
  • 4,175
  • 15
  • 31
  • 1
    Hi Mikhail and thank you for your answer. The applet is signed and the Crossdomain request is made. However the session cookie is not a part of the request. – Martin K Dec 15 '14 at 11:05
  • Some time ago I used to send cookies from applet to WebLogic. Unfortunately the code is left at my previous employer. Could you show your code? And why do you think cookies are not sent? – Mikhail Dec 15 '14 at 11:20
  • 1
    Hi. The reason I know the cookies are not sent is because I have full control of the server and can trace the requests coming in :). However, if I move both the CDN and the REST server to the same domain, the request works and the cookies are sent. I alse see these errors in the Java Console: ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key Possible use of 'Secure' cookies blocked – Martin K Dec 15 '14 at 11:48
  • 2
    https://bugs.openjdk.java.net/browse/JDK-7194034?page=com.atlassian.streams.streams-jira-plugin:activity-stream-issue-tab – Mikhail Dec 15 '14 at 12:01
  • 1
    Right now we are downloading the JNLP from the REST server. Do you think it would make a difference if the JNLP and jar was downloaded from the CDN? – Martin K Dec 15 '14 at 12:31
  • 1
    I have never worked with CDNs. But in this case request becomes not a crossdomain. If I were you, I'd try a different JVM on client side first, to be sure it's a bug. If you can restrict user to a concrete version, problem is solved, if not try to get rid of cookies, by sending session in get request. – Mikhail Dec 15 '14 at 12:44
  • 1
    Thats how I interpret the documentation as well; the server that the JNLP comes from is the domain. Requests to that domain should not be considered crossdomain. But in this case they are?! – Martin K Dec 15 '14 at 12:50
  • 1
    I have tested several Java 7 and Java 8 versions, no big difference except different logging output in the java console – Martin K Dec 15 '14 at 12:51