Hi Gregory,
It's good to see some focus on security issues for Spectrum, that's always welcome!
However - protecting the JNLP-file with auth while not protecting the .jar files, that makes up the application, the same way makes it quite meaningless.
But taking steps forward on security is key, especially with the scrutiny that NMS systems will face in the wake of the SolarWinds incident.
I'd love to see some STIG/hardening guides for Spectrum being released!
Original Message:
Sent: 04-15-2021 03:46 PM
From: Gregory Polenta
Subject: Accessing oneclick.jnlp now requires authentication, why?
Hello Johan,
The oneclick.jnlp is now auth protected due to security concerns that were raised around this. This has fallen in to the security tightening
and vulnerability fixes that are taking place. This is mentioned in the Spectrum 10.4.3 (20.2.7) features and enhancements.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/release-information/features-and-enhancements.html#concept.dita_74630ff8e83cd59592f994d76127c7a97e847997_FixedVulnerabilities
- Added security-constraint to restrict the user to download the JNLP file without login
Original Message:
Sent: 04-13-2021 10:51 AM
From: Johan Hedlund
Subject: Accessing oneclick.jnlp now requires authentication, why?
After upgrading to 10.4.3 I noticed that all prior desktop shortcuts to launch Spectrum didn't work anymore.
Turns out that from 10.4.3 the oneclick.jnlp java webstart file is now auth protected, so javaws will throw an exception due to not being able to access it.
This is also stated here JNLP Exception: Server returned HTTP response code: 401 When Launching the OneClick Console From a Shortcut
However it's only the oneclick.jnlp file that is auth protected, all the jar-files listed in the JNLP are accessible without auth.
What are the reasoning behind this change that probably breaks a lot of shortcuts for organizations?
It also breaks prior technotes as this https://knowledge.broadcom.com/external/article/113032/how-to-create-desktop-icon-for-launching.html
Is it possible to exempt the oneclick.jnlp from auth protection?