Embedding basic http authentication credentials in JNLP file

Similar Messages

• Basic http authentication not working when consuming Web Service in BPEL.

  Hi,
  I am consuming an AXIS Web Service from BPEL 10.1.3. The Web Service uses basic http
  authentication so we need a way to get username and password into the http
  header. In the Oracle BPEL Process Manager Administrator's Guide 10g
  (10.1.3.1.0) section 1.3.4.1 HTTP Basic Authentication (10.1.2.0.2) is stated
  that this can be done using the properties httpUsername and httpPassword. I
  have set the 2 for the partner link in bpel.xml but username and password does
  not get in to the http header. Has anybody got an idea?
  Regards Pete

  I'm having the same sorts of problems with 10.1.3.1.0. I've got a deployed BPEL suitcase that's trying to hit a BASIC AUTH-secured web service running on a WebLogic 8.1 server. I've set up my partner link according to the documentation, and the BPEL console Descriptor tab even shows the parameters correctly:
  partnerLinkBindings      
  client      
       wsdlLocation      awardService.wsdl
  spsAwardSubmitPartnerLink      
       basicHeaders      credentials
       basicUsername      ko1
       basicPassword      xxxxx
       wsdlLocation      IAwardDraftServiceRef1.wsdl
  However, when I funnel the resultant call to the endpoint specified in IAwardDraftServiceRef1.wsdl, none of the fields I would expect show up in the HTTP header:
  POST /pd2WebServices/service/IAwardDraftService HTTP/1.1
  Host: vm-orcl-app-srv:4444
  Connection: Keep-Alive, TE
  TE: trailers, deflate, gzip, compress
  User-Agent: Oracle HTTPClient Version 10h
  SOAPAction: ""
  Accept-Encoding: gzip, x-gzip, compress, x-compress
  Content-type: text/xml; charset=UTF-8
  Content-length: 3800
  <?xml version="1.0" encoding="UTF-8"?>
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><env:Body><IAwardDraftSubmitNew xmlns="http://www.caci.com/pd2/pub">
  <IAwardDraft>
  <accessController/>
  <agreementEndDate/>
  Is there some other configuration piece I'm missing?? I've tried the other variation using httpBasicHeaders, with the same results. I even noted that the "Oracle® BPEL Process Manager Administrator's Guide" says that "Starting with Oracle BPEL Process Manager release 10.1.3, all partner link properties are automatically propagated into the HTTP header." I've tried putting "extra" parms in the partner link bindings, but they don't show up either.
  What am I missing??
  Thanks,
  Mike

• Internationalizing Basic HTTP authentication browser dialog for UserID

  Is it possible to have multibyte user ID for Basic HTTP authentication? Based on RFC2617 user ID has to be *Text, which basically is ASCII. But I thought maybe someone has a workaround for this limitation. Our entire web app is internationalized, we use UTF-8 as encoding for JPS pages and request processing, and that all works fine, but there is one area where we use Basic HTTP authentication, and so far I was not able to find a way to internatianalize that. Once the resource is reqested, we process request in the servlet and if the user is not authenticated we send authentication challenge response to the browser. Response encoding is set to UTF-8. After user enters the credentials, I process those in the same servlet , again using UTF-8. Of course when I tried to input the japanese ( multibyte)userID, the authentication is failing. I think the browser is corrupting DBCS data once it Base64 encodes it... Does anyone have ideas whether it is possible to internationalize this at all?

  You'll probably need your own ServletFilter to process the authentication header, since servers will mostly decode headers in the locale encoding, regardless of any charset in the Content-type header of the request. Getting browsers to use UTF-8 encoding before base64 might be a bit tricky though.
  It is probably better to use form based login. The procedure for getting UTF-8 encoded form parameters is a well understood FAQ for this forum.

• JAAS NTLoginModule for basic http authentication

  Hi all,
  Can someone point me to the right direction on this subject? I'd like to use JAAS' NTLoginModule to get a user's credentials, then use those credentials to authenticate the user into something that requires a basic http authentication... specifically, a domino web service. (I don't want the user to have to type in his/her password).
  First, is this even doable? and Second, what would I need to do to get this working?
  Thanks in advance.

  I am using IIS 6 with Windows Integrated Authentication which passes all HTTP requests to Tomcat 5.5 for processing via the ISAPI plug-in jk1.2 It does nothing else. Don't ask the obvious, I can't tell you. It just is.
  I have a new requirement for a new web application on our intranet. I would like to be able to identify my users without them typing anything in. How can I capture any part of the Window's user credential's from within my Java web application on Tomcat?
  I'm looking at HttpServletRequest.getRemoteUser() and HttpServletRequest.getUserPrincipals() and I'm thinking I can (minus establishing my own Tomcat realms, etc...).
  Any thoughts? Even if you don't know how, just tell me if you know this can be/is being done somewhere.

• Basic HTTP Authentication

  Hi everyone,
  I'm trying to make a portal/gateway environment where a user can be automatically logged in other applications using Basic HTTP Authentication.
  To do this I have enabled the Basic HTTP Authentication in the psconsole (under Secure Remote Access > default > Core).
  I have also added a couple of LDAP attributes in the Portal LDAP: sunPortalGatewayWWWAuthorization.
  Are these the only two steps needed? Or am I forgetting something?
  Could someone tell me how the values in the sunPortalGatewayWWWAuthorization can be formed? I am currently using someone else's code, which used to work on a Portal Server 6 environment. I'm not sure if I understand well how those Basic Authentication values are formed.
  Thanks a lot!
  Sten

  Thank you Yvan, for your reply.
  I have looked at the Access Manager in the old environment, and did not see any SSO functionality being enabled.
  The old environment does not have a psconsole, so I was not able to check the settings over there.
  What bothers me, is that I do not know what kind of values should be stored in the sunPortalGatewayWWWAuthorization attribute. A basic http authentication string would look like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
  (This would be a Base64 encoding of Aladdin:open sesame).
  But in the Portal LDAP it seems that everything is encoded in Base64. As far as I understand the code is doing the following:
  - Make-up string: "+hostname+|Authorization: Basic +username+:+password+"
  - additionally, it looks like the whole string is being encrypted too, using a PBEWithMD5andDES algorithm
  Is this a requirement for the Gateway? Or is this for some kind of security reason? And is this correct?
  Thanks,
  Sten

• Performing Basic HTTP Authentication on the iPhone

  Hi,
  I need to perform a HTTP Request with Basic Authentication on the iPhone. To perform the request I use the NSURLConnection and NSMutableURLRequest. The request basically works but I can't get the authentication working. Is there a "convenient" way to do HTTP authentication or do I have to do it by hand?
  Best regards,
  Michael

  Ok thanks - that explains it:
  From the Apple article: "
  Note: Touch ID cannot be used for purchases if Require Password in Settings > General > Restrictions is set to Immediately."
  Not sure why - but clearly intentional.

• Embedding HTTP Authentication credentials in SAP

  Hi everybody,
  I am facing a particular issue: in an ABAP program, I must call a method in a web service.
  I proceed with the creation of a proxy and of a logical port and everything is working fine.
  The issue is that during the communication, system asks for credentials (user/pwd).
  Is there a way to embed it into code? Or are there other solutions to avoid the auth with user/pwd?
  (I read about SAP logon, but I am pretty sure server has not been done with Netweaver).
  Thanks and Regards,
  Francesco

  Hi everybody,
  I manage to do almost all (I suppose), but I need last help.
  Through SM59 I created the HTTP Destination needed; then, I implemented the code given by SAP here:
  http://help.sap.com/saphelp_47x200/helpdata/en/2d/64d053e74911d6b2e400508b6b8a93/content.htm
  I ran the program, and it gives me the error: "Binder not found for soapAction = null.
  I suppose that I should give the link to the soapAction, but I don't know where in the code.
  Have you any idea?
  Thanks and Regards,
  Francesco

• Removing Basic HTTP Authentication required by Adapter Engine

  Hi guys,
  can you please help me with this issue? I'm sending a SOAP requests to PI but I need to remove required authentication by WAS as the sending system is not able to provide username and password.
  Thank you,
  Peter

  Peter,
  AFAIK if you remove authentication, it will remove it for all the SOAP scenarios and cannot be achieved for a single scenario.
  Check the reply from Bhavesh in this thread:
  Re: SOAP User ID/Password  - Authoraization
  If you want to refer more similar threads check this:
  https://forums.sdn.sap.com/search.jspa?threadID=&q=%22remove+authentication%22&objID=f44&dateRange=all&numResults=15&rankBy=10001
  Regards,
  Neetesh

• Jnlp file called multiple times

  We're trying to pass HTTP parameters to our JNLP file (which is created by a .jsp file). When we run webstart from the command line (or a a web page), it seems like the JNLP file gets called multiple times. The first time our parameters are there, after that they are not. Why does webstart call the JNLP file multiple times? Has anyone else seen this.
  We're running Tomcat 4.x on Linux.
  From the command line we typed:
  javaws "http://localhost/helloWorld.jsp?hello=1&world=2"
  Tomcat Output:
  DEBUG: hello=1&world=2
  DEBUG: null
  DEBUG: null
  DEBUG: null
  DEBUG: null
  DEBUG: null
  DEBUG: null
  DEBUG: null
  JSP File:
  <!DOCTYPE html PUBLIC
  "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  <%@ page contentType="application/x-java-jnlp-file" %>
  <?xml version="1.0" encoding="utf-8"?>
  <jnlp
  spec="1.0+"
  codebase="http://localhost"
  href="http://localhost/helloWorld.jsp">
  <information>
  <title>Hello World</title>
  <vendor>Nobody</vendor>
  <application-desc>Hello World Application</application-desc>
  </information>
  <resources>
  <j2se version="1.3+"/>
  <jar href="lib/helloWorld.jar" main="true"/>
  </resources>
  <application-desc main-class="test.HelloWorldApp"/>
  </jnlp>
  <% System.out.println("DEBUG: " + request.getQueryString()); %>
  Hello World Source:
  package test;
  import javax.swing.*;
  import java.awt.*;
  import java.awt.event.*;
  public class HelloWorldApp {
  public static void main(String[] args) {
  JFrame frame = new JFrame("Hello World");
  frame.getContentPane().add(new JLabel("Hello World", JLabel.CENTER), BorderLayout.CENTER);
  frame.addWindowListener(new WindowAdapter() {
  public void windowClosing(WindowEvent e) {
  System.exit(0);
  frame.setSize(200,150);
  frame.setVisible(true);
  }

  I am seeing this exact same problem, also creating the JNLP via a JSP. Any input would be greatly appreciated.

• HTTP authentication via reverse proxy

  Hi,
  I've taken a dig around the interface for the 4.0.4 web proxy and in the documentation but haven't come up with much so far.
  What I want to do is configure a reverse proxy so that it feeds the HTTP authentication credentials into the server when we reverse from the proxy to it.
  i.e.
  user --> revproxy --> (http_details) --> webserver
  The user wont enter these, they'll be somehow if possible, be configured into the reverse proxy so it knows what HTTP realm string to match to a target host and feed the credentials into it.
  Is this possible?

  Since it is just a matter of adding Authorization header, it is possible.
  look around for other discussions for adding headers.

• Http authentication code

  how to generate basic http authentication code of type digest(auth_type="digest") using jdeveloper,

  When the following code is used to authenticate the HTTP send request using "digest" authentication type. It gives the error below.
  // authentication code
  Properties props = new Properties();
  props.put(OracleSOAPHTTPConnection.AUTH_TYPE, "digest");
  props.put(OracleSOAPHTTPConnection.USERNAME, "userid");
  props.put(OracleSOAPHTTPConnection.PASSWORD, "password");
  m_httpConnection.setProperties(props);
  //Error
  [SOAPException: faultCode=SOAP-ENV:IOException; msg=&quot;WWW-Authenticate&quot; header is incorrect; targetException=java.io.IOException: "WWW-Authenticate" header is incorrect]
       at org.apache.soap.SOAPException.<init>(SOAPException.java:78)
       at oracle.soap.transport.http.OracleSOAPHTTPConnection.send(OracleSOAPHTTPConnection.java:765)
       at org.apache.soap.messaging.Message.send(Message.java:125)
       at mypackage1.SampleStub.Sample(SampleStub.java:184)
       at mypackage1.SampleStub.main(SampleStub.java:57)

• Safari 5.1 HTML5 HTTP basic access authentication issue video does not load

  I have a .m4v video referenced in a page with the HTML5 video tag in a folder which is in a password protected folder housed on iPage.
  Safari 5.0.5 plays the video fine.  Safari 5.1 fails to load/play the video in the protected folder.  If I move the video to a not protected folder, Safari 5.1 plays it fine.
  This is on iPage.  Back on MobileMe all is fine with 5.1.
  I think this is a HTTP basic access authentication issue with 5.1.
  Anyone have similar issue? Work around?

  Yes, I can also confirm this behaviour. This is in Safari 5.1.1, but I also see the exact same thing in WebKit nightlies.

• Console does not launch OVM 3.1.1, Win7x32 Firefox15/IE8 - Empty .jnlp file

  I have installed Oracle VM Manager 3.1.1, and two Oracle VMS servers; all seems to have gone pretty well after some learning curve. After success here, I created Clone of the most recent PeopleTools 8.5.2 and PeopleSoft HCM templates, and was able to start those machines. (Or at least, the Virtual Machine status shows "Running..." - read on.)
  However, when I try to launch the console, I get no success. First, when accessing the VMM server over HTTPS (port 7002), Java doesn't even try to start. Instead, basically, I get a screen blink and nothing else when I try to Launch Console from HTTPS. But when using HTTP:myVMM:7001, I get further. The Java logo appears briefly, and then I get "Application Error - Unable to launch the application" dialog. When I click on Details, I see the following under the Exception tab:
  JNLParseException[ Could not parse launch file. Error at line 0.]
       at com.sun.javaws.jnl.XMLFormat.decode(Unknown Source)
       at com.sun.javaws.jnl.XMLFormat.parse(Unknown Source)
       at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
       at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
       at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
       at com.sun.javaws.Main.launchApp(Unknown Source)
       at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
       at com.sun.javaws.Main$1.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  Looking further into this, the .jnlp that's presented to JAVA by Launch Console is zero bytes in length. What might cause the .jnlp file to be empty?

  Thank you very much for your rapid reply, SPA2! It's encouraging!
  You named the file correctly, and there is only one ovm_rasproxy-ws.jnlp on the system. It is at /u01/app/oracle/ovm-manager-3/machine1/base_adf_domain/servers/AdminServer/tmp/_WL_user/ovm_core/tgzc2b/war/ovm_rasproxy-ws.jnlp. It is not empty - has a size of 1028 bytes, and the contents are listed at the bottom of this message.
  I don't know how to start the vncviewer directly from the OVM Manager machine. I did install the package (twice, in fact... and the second time stated "package tightvnc-java-1.3.9-3.noarch is already installed" There are no executables in the tightvnc-java-1.3.9-3.noarch.rpm package, and I have not found indication of what the URL would be. Can you help with that?
  Trying to find the version of Java from http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CCwQFjAB&url=http%3A%2F%2Fwww.java.com%2Fen%2Fdownload%2Finstalled.jsp&ei=cFyOUL6OHpHo8QSrn4GIBg&usg=AFQjCNH6zuZGOL1prgUuefMNfg4eSpEOjQ I see "Something is wrong. Java is not working." So I uninstalled and reinstalled Java. Now it is Java 7 Update 9.
  Also - to further check this out, I did Save instead of Open from Firefox (IE does not give that option). Firefox saved a 0 byte file. I really appreciate the help.
  Contents of ovm_rasproxy-ws.jnlp:
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp spec="1.0+" codebase="${Scheme}://${Server}:${ServerPort}/ovm/rasproxy/"
  href="ovm_rasproxy-ws.jnlp?${RequestUri}">
  <information>
  <title>Oracle VM Remote Access Service</title>
  <vendor>Oracle</vendor>
  <homepage>http://support.oracle.com/</homepage>
  </information>
  <resources>
  <!-- Application Resources -->
  <j2se version="1.5+"
  href="http://java.sun.com/products/autodl/j2se" />
  <jar href="ovm_rasproxy-signed.jar" main="true" />
  <jar href="commons-logging-1.1.1.jar" />
  </resources>
  <application-desc main-class="com.oracle.ovm.ras.proxy.RasProxyApplet">
  <argument>-server</argument>
  <argument>${Server}</argument>
  <argument>-service</argument>
  <argument>${Serviceid}</argument> <!--dynamic-->
  ${Credentials}
  </application-desc>
  <security>
  <all-permissions/>
  </security>
  <update check="always"/>
  </jnlp>
  Edited by: Dennis Lovelady on Oct 29, 2012 3:32 AM
  Edited by: Dennis Lovelady on Oct 29, 2012 3:36 AM to answer about installation of tightvnc and about Java version
  Edited by: Dennis Lovelady on Oct 29, 2012 4:10 AM

• ".. access denied: ... jnlp read" error in applet with NO .jnlp file!

  I'm trying to embed a Java program called ImageJA [http://pacific.mpi-cbg.de/wiki/index.php/ImageJA] into a webpage. I'm using ASP.NET with XHTML 1.0. Since I'm embedding it as an object in the html code, it should not cause any issues from that end. Unforunately, when I try I get an error saying "java.security.AccessControlException: access denied (java.util.PropertyPermission jnlp read)". The weird thing is, there is no jnlp file anywhere (including the .jar and codebase).
  I'm able to run it successfully if I change the permissions in my java.policy file, but that solution only works for my local machine.
  The .jar file (the only one) has been signed (I believe). I followed the steps as suggested [http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/plugin/developer_guide/rsa_signing.html], with the exception of contacting VeriSign/Thawte (I wish to have this be self signed).
  This seems like a very odd issue to me, and I'm running out of hair. Can anyone help?
  Here's my html code:
  <html xmlns="http://www.w3.org/1999/xhtml" >
  <head runat="server">
  <title>Untitled Page</title>
  </head>
  <body>
  <form id="form1" runat="server">
  <div>
  <object
  classid = "clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
  codebase = "[http://java.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab]"
  width="500" height="500">
  <param name = "code" value = "ij.ImageJApplet.class" />
  <param name = "codebase" value = "ImageJA" />
  <param name = "archive" value = "ij-1.44a.jar" />
  <param name="type" value="application/x-java-applet;jpi-version=1.4.2" />
  <param name="scriptable" value="true" />
  </object>
  </div>
  </form>
  </body>
  </html>
  Edited by: Sythion on Jul 13, 2010 2:19 PM

  Sythion wrote:
  I'm trying to embed a Java program called ImageJA [http://pacific.mpi-cbg.de/wiki/index.php/ImageJA] ..
  I suggest you take up the problem through the [channels suggested by the API developers|http://pacific.mpi-cbg.de/wiki/index.php/Help:Contents].

• Always prompted to save JNLP file

  Hello! We have a simple servlet that basically just queries a few things off of the HttpServletRequest and spits back a dynamically generated JNLP file. For some reason, when we were running with Tomcat 4.0.6 this worked fine, but with the upgrade to Tomcat 4.1.29 it does not. IE always prompts to open or save the file - it never just launches JWS automatically anymore.
  Any suggestions on what we can fix? I'll put the interesting parts of the servlet below.
  Thanks in advance!
  -Angelina
  Servlet:
  public class JNLPServlet extends HttpServlet{
      public void doGet(HttpServletRequest request, HttpServletResponse response)
         throws IOException, ServletException {
          try {          
              response.setHeader("Cache-Control", "public");
              response.setContentType("application/x-java-jnlp-file");
              String sessionId = getSessionId(request);
              ServletOutputStream out = response.getOutputStream();
              java.net.InetAddress[] hostNetAddrs =
                            java.net.InetAddress.getAllByName(request.getServerName());
              String hostIpAddr = hostNetAddrs[0].getHostAddress();
              out.println(generateJNLP(sessionId, request.getServerName(),
                                       hostIpAddr, request.getRemoteUser()));
              out.flush();          
          catch (IOException ex) {
              response.sendError(javax.servlet.http.HttpServletResponse.
                                 SC_SERVICE_UNAVAILABLE, ex.getMessage());
          catch (Exception ex) {
              response.sendError(javax.servlet.http.HttpServletResponse.
                                 SC_INTERNAL_SERVER_ERROR, ex.getMessage());
      protected String generateJNLP(String sessionId, String host, String ip, String userName){
          StringBuffer buf = new StringBuffer();
          buf.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
          buf.append("<jnlp spec=\"1.0+\" codebase=\"http://" + ip + ":80/cmv2/\">\n");
          buf.append("<information>\n");
          buf.append("<title>App V2.3 on " + host + "</title>\n");
          buf.append("<vendor>EMC Corporation</vendor>\n");
          buf.append("<homepage href=\"http://www.emc.com\" />\n");
          buf.append("<description>Program for monitoring performance.");
          buf.append("</description>\n");
          buf.append("<icon href=\"cm.gif\" width=\"32\" height=\"32\" depth=\"3\" size=\"1k\" />\n");
          buf.append("<offline-allowed />\n");
          buf.append("</information>\n");
          buf.append("<security>\n");
          buf.append("<all-permissions />\n");
          buf.append("</security>\n");
          buf.append("<resources>\n");
          buf.append("<j2se version=\"1.4+\" href=\"http://java.sun.com/products/autodl/j2se\"");
          buf.append("initial-heap-size=\"64m\" max-heap-size=\"194m\" />\n");
          buf.append("<property name=\"host_name\" value=\"" + host + "\"/>\n");
          buf.append("<property name=\"host_port\" value=\"80\"/>\n");
          buf.append("<property name=\"host_IP\" value=\"" + ip + "\"/>\n");
          buf.append("<property name=\"secure_host_port\" value=\"443\"/>\n");
          buf.append("<property name=\"session_id\" value=\"" + sessionId + "\"/>\n");
          buf.append("<property name=\"user_name\" value=\"" + userName + "\"/>\n");
          buf.append("<jar href=\"cmv2.jar\" />\n");
          buf.append("<jar href=\"ohj-jewt-4_1_9.jar\" />\n");
          buf.append("<jar href=\"help-4_1_9.jar\" />\n");
          buf.append("<jar href=\"oracle_ice-5_06_3.jar\" />\n");
          buf.append("<jar href=\"emcshared.jar\" />\n");
          buf.append("<jar href=\"xerces.jar\" />\n");
          buf.append("</resources>\n");
          buf.append("<application-desc main-class=\"com.emc.wclient.Login\">\n");
          buf.append("</application-desc>\n");
          buf.append("</jnlp>\n");
          return buf.toString();
  }

  The underlying problem is a combination of tomcat 4/5 being more standard and IE being less standard. Tomcat changed to automatically add ";charset=ISO-8859-1" to the end of the Content-Type header while IE appears to not correctly process the Content-Type header.
  IE maintains a list of known MIME types in the registry under [HKCR]\MIME\Database\Content Type. There you will find an entry for 'application/x-java-jnlp-file' which indicates that this MIME type is treated as a file with the suffix '.jnlp'.
  Unfortunately, IE treats EVERYTHING after the Content-Type: as the MIME type NOT just the stuff between the ':' and the ';'. Thus instead of looking for a registry entry for 'application/x-java-jnlp-file' it winds up looking for 'application/x-java-jnlp-file;charset=ISO-8859-1" and doesn't find it.
  If you duplicate the 'application/x-java-jnlp-file' entry with the name 'application/x-java-jnlp-file;charset=ISO-8859-1' everything works. Alternatively, if you make sure the 'file name' portion of the URL which requests the jnlp spec has the suffix '.jnlp' IE will work correctly. If you are generating the jnlp spec via your own servlet you can control the behavior of Tomcat by calling 'setCharacterEncoding(null)' on the response object (note this is not a method of the HttpServletResponse interface, you have to cast to the underlying concrete type).
  So, I think IE's use of the 'suffix' is non-standard and IE's handling of the Content-Type header field is just broken. If you can make the requesting URL have the .jnlp suffix you are ok; otherwise, there does not appear to be a good solution.