After nearly spending two days on that problem I figured it out, hopefully helping others with that. The explanation:
- My applet runs in the context of a protected web application where a user needs to login with a form login first.
- After doing so, a session cookie is created and sent back to the client/browser.
- Since I switched from tomcat 6 to tomcat 7 the useHttpOnly policy for cookies is enabled by default which was disabled for all tomcat versions prior tomcat 7. The HttpOnly flag instructs browsers to prevent access to those cookies from JavaScript/Plugins (security reasons e.g. cross site scripting etc).
- Now since the java plugin couldn't access the cookie it didn't sent it to the server when requesting the JNLP file.
- the server returns the loginpage for all unauthorized request.
- Last but not least the JNLP parser was looking for the
<jnlp>
structure and couldn't find any - so the above error was generated.
So how can that be prevented?
- Disable the useHttpOnly flag in tomcat globally
- Disable the useHttpOnly flag for a webapplication (which I did). To do that add a context.xml file in the META-INF of your webappication which contains the following line
<Context path="/" cookies="true" useHttpOnly="false"/>
Now why the IE10 seems to ignore the httponly flag is a open question i can live with ;-)