cannot launch jnlp on windows due to exception while creating native storage directory

[AlBundy33]

OWS/IcedTea-Web creates a temp-folder netx-native-xxxx.temp and tries to rename it which does not work if the folder has "insufficient" permissions.

The default %TEMP% (%LOCALAPPDATA%\Temp) has (at least on my system) this ACLs

cacls %TEMP%
C:\Users\AlBundy\AppData\Local\Temp NT-AUTORITÄT\SYSTEM:(OI)(CI)F
                                  VORDEFINIERT\Administratoren:(OI)(CI)F
                                  ALBUNDY-W10-VM\albundy:(OI)(CI)F

If you create another temp-directory like C:\temp\ows the ACLs are slightly different

cacls c:\temp\ows
c:\temp\ows VORDEFINIERT\Administratoren:(OI)(CI)(ID)F
            NT-AUTORITÄT\SYSTEM:(OI)(CI)(ID)F
            VORDEFINIERT\Benutzer:(OI)(CI)(ID)R
            NT-AUTORITÄT\Authentifizierte Benutzer:(ID)C
            NT-AUTORITÄT\Authentifizierte Benutzer:(OI)(CI)(IO)(ID)C

As you can see in the default temp-folder the current user has an ACL that grant full access.

In the created folder c:\temp\ows there are only group rights set.

In BOTH directory I can create folder an files in windows explorer.

But launching a jnlp works only in the default temp-folder - not in c:\temp\ows

to reproduce this, create the folder c:\temp\ows
open a command prompt and run

SET TEMP=C:\temp\ows
SET TMP=C:\temp\ows
"c:\Program Files\OpenWebStart\javaws.exe" "%USERPROFILE%\Downloads\jnlp.jnlp"

This results in an exception during startup

net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:593)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:374)
	at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:72)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:661)
Caused by: java.lang.RuntimeException: Exception while creating native storage directory 'C:\temp\ows\netx-native-50323'
	at net.sourceforge.jnlp.cache.NativeLibraryStorage.createNativeStoreDirectory(NativeLibraryStorage.java:179)
	at net.sourceforge.jnlp.cache.NativeLibraryStorage.getNativeStoreDirectory(NativeLibraryStorage.java:157)
	at net.sourceforge.jnlp.cache.NativeLibraryStorage.addSearchJar(NativeLibraryStorage.java:135)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.doActivateJars(JNLPClassLoader.java:1294)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.lambda$activateJars$3(JNLPClassLoader.java:1179)
	at java.security.AccessController.doPrivileged(Native Method)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.activateJars(JNLPClassLoader.java:1180)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:830)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.<init>(JNLPClassLoader.java:352)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.createInstance(JNLPClassLoader.java:425)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:497)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:470)
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:585)
	... 3 more
Caused by: java.io.IOException: Cannot rename C:\temp\ows\netx-native-50323.temp to C:\temp\ows\netx-native-50323
	at net.sourceforge.jnlp.util.RestrictedFileUtils.createRestrictedFile(RestrictedFileUtils.java:172)
	at net.sourceforge.jnlp.util.RestrictedFileUtils.createRestrictedDirectory(RestrictedFileUtils.java:62)
	at net.sourceforge.jnlp.cache.NativeLibraryStorage.createNativeStoreDirectory(NativeLibraryStorage.java:176)
	... 15 more

workaround: give current user full access to c:\temp\ows

[tzjan]

Hi,
I don't know If your issues is the same as mine.
For my application IcedTea created too restricted files/directories.
Add the following property helped:

deployment.security.itw.disablerestrictedfiles=true

[AlBundy33]

Thanks - this seems to be another workaround 👍

But I wonder why the application-files are created this way. 🤔
With this restrictions OWS or ITW don't work with a manually created temp-folder.
-> And I didn't found any informations about this setting. 🤔

[tzjan]

I stumbled across the same problem. Saw the same kind of restricted permissions and
compared it to a file created by another application like the windows file explorer.
I found this setting in the code during debugging.
Maybe it's good to add this to a documentation to offer this option to the user.

[AlBundy33]

I haven't checked the code how ows/itw creates the file but it would be nice if even manually created temp-folder would work out of the box.

If I manually create a file in this folder I can rename it without issues.

If the current implementation is because of security reasons a better error-message would be helpful because ot took some time to find the cause.

[pietroSV]

Problem/bug still present in v 1.10.1.
The workaround with 'deployment.security.itw.disablerestrictedfiles=true' works, but it is bad it can't be changed via OpenWebStartSettings GUI.

EDIT:
In my case, I am not using manually created Temp directory.
We use standard %temp% directory. The internal netx security thing has no permissions to the directory it created itself:
net.adoptopenjdk.icedteaweb.lockingfile.StorageIoException:
Caused by: java.io.IOException: Cannot rename C:\Users<user>\AppData\Local\Temp\netx-native-59378.temp to C:\Users<user>\AppData\Local\Temp\netx-native-59378
at net.sourceforge.jnlp.util.RestrictedFileUtils.createRestrictedFile(RestrictedFileUtils.java:172)
at net.sourceforge.jnlp.util.RestrictedFileUtils.createRestrictedDirectory(RestrictedFileUtils.java:62)
at net.sourceforge.jnlp.cache.NativeLibraryStorage.createNativeStoreDirectory(NativeLibraryStorage.java:176)
... 15 more

[AlBundy33]

I've created another issue in AdoptOpenJDK/IcedTea-Web#955 - hopefully it get's more attention there.