I ended up with three jnlp files:
server-a/a.jnlp - refers to my main application jar file
server-b/b.jnlp - refers to the third party jar file
server-a/c.jnlp - refers to javax-mail jar file
All jar files are signed, all jnlp files contain a securty tag (all-permissions). A deployment rule set is setup to allow loading the web application from server-a and server-b without security prompts.
The application loads fine, but when log4j is initialized from within the main class, it throws a ClassNotFoundException for javax/mail/internet/AddressException.
I've tried the following already:
- upgraded Oracle Java to latest 1.8.x version (currently 1.8.0u161)
- no change
- tried with OpenJDK (1.8.0_151-8u151-b12-1~deb9u1-b12)
- app loads and runs fine
- replaced the giant third party jar by only a signed version of log4j
- app loads and runs fine (except I'm missing the functionality from the third party jar)
- modified and resigned the giant third party jar to not include log4j and provided log4j separately (through a.jnlp or c.jnlp)
- log4j initializes fine, but the third party code can no longer access log4j
So it seems that something in that giant jar causes the Oracle version of Webstart to deny access from code that lies within that jar to any classes outside of that jar...
My thought: it must be something in the third party jar's manifest file.
Found the following item:
Trusted-Library: true
See: https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/manifest.html#A1148631
