deployment.assumeFileSystemInCodebase?

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
javaapp
Posts: 39
Joined: 20 May 2020, 18:34

deployment.assumeFileSystemInCodebase?

Post by javaapp »

I'm trying to understand the configuration property "deployment.assumeFileSystemInCodebase". This /configuration page says "Defines if files from the local filesystem are always handled as if they would be part of the codebase."

I don't really understand this. In my experience, all of the files needed to run a WebStart app are listed in the jnlp file and downloaded from the trusted host defined in the jnlp file. When/how would there be local files that need to be made part of an app's codebase?

Thanks!

Hendrik Ebbers

Re: deployment.assumeFileSystemInCodebase?

Post by Hendrik Ebbers »

Hi,
more information about the property and behaviour: https://github.com/karakun/OpenWebStart/issues/106

javaapp
Posts: 39
Joined: 20 May 2020, 18:34

Re: deployment.assumeFileSystemInCodebase?

Post by javaapp »

Hmm thanks for the link, but I'm afraid I still do not understand. Does this option make a local jnlp file become trusted?

If so, how else does OWS work if it cannot trust a local jnlp? I ask because (with older or more lenient browsers) using the old Java WebStart, the browser plugin could invoke Java WebStart directly; it was not necessary for the user to download and then double-click on the downloaded jnlp file.

Now that browser plugins are no longer used, it is my belief that OWS can only activate against jnlp files that have been downloaded and double-clicked by the user. Perhaps I am ignorant and there is another use case?

It seems likely that I am still misunderstanding the "assumeFileSystemInCodebase" setting

javaapp
Posts: 39
Joined: 20 May 2020, 18:34

Re: deployment.assumeFileSystemInCodebase?

Post by javaapp »

Peeking at the IcedTea-Web code, it looks like "assumeFileSystemInCodebase" setting allows you to specify "file://" urls in the jnlp and to treat those resources as secure (as if they came from the trusted codebase). Is this correct?

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: deployment.assumeFileSystemInCodebase?

Post by Stephan Classen »

Yes this setting you are looking for

javaapp
Posts: 39
Joined: 20 May 2020, 18:34

Re: deployment.assumeFileSystemInCodebase?

Post by javaapp »

Thanks. FYI we do not use this "local file" capability, we just wanted to be clear on its functionality. which you've clarified. Seems a bit dodgy to trust local content IMO

Post Reply