This content has been marked as final. Show 1 reply
Well you are trying to protect your JARs from beeing downloaded ... but somehow the JARs are actually needed by the client to run the application.
So why should you care that anybody can access those JAR files by simply entering the URL in the browser that directly points to the JAR?
I mean any user that runs the Java-Webstart application will download it (programatically) by the JNLP. So after that moment the file is on the disk of every client. Any user can now go to its temporary Internet files, and unzip the JAR to see the content.
The rule is that simple: Don't put any confidential data/passwords/auth-stuff in the JAR!
What we do for example to protect/auth is that we initialize the WebStart application in its init method with a SessionToken.
You can pass init-arguments in the JNLP file.
So you deliver every time a different JNLP file that contains a session-token in the init-arguments to validate the client when it does register to your remote services (if you have any).
I think creating the JNLP file by a servlet / on demand is a common usage scenario (and also the desired way to bring some session variables / auth stuff into the client).