When a user goes to download the OC client directly via the browser, the 32-bit client (oneclick.jnlp) prompts for user/password. Hit the same URL with oneclick64.jnlp and the jnlp downloads with no login prompt. This is a security issue. Both 32 and 64-bit should be secured in the same manner.

Steps to reproduce the issue:

$ cd $SPECROOT/tomcat/webapps/spectrum/

$ cp oneclick.jnlp oneclick32.jnlp

$ cp oneclick.jnlp oneclick64.jnlp

In a regular browser:

• http://<OC_hostname>:<port>/spectrum/oneclick.jnlp (requests username and password to download the file)
• http://<OC_hostname>:<port>/spectrum/oneclick32.jnlp (download the file without requesting the username and password)
• http://<OC_hostname>:<port>/spectrum/oneclick64.jnlp (download the file without requesting the username and password)

Release : 22.2

The reason it’s not asking for credentials is because this oneclick32.jnlp and oneclick64.jnlp file names are not enclosed within <security-constraint> tag in our web.xml file like it’s done for our regular oneclick.jnlp. 

Let me show you how it’s done for oneclick.jnlp file. Open the $SPECROOT/tomcat/webapps/spectrum/WEB-INF/web.xml file you can see that oneclick.jnlp file is enclosed with in <security-constraint> tag, this makes sure that this oneclick.jnlp file is accessed only by Authenticated users.

<security-constraint xmlns="">
    <web-resource-collection>
      <web-resource-name>SPECTRUM OneClick JNLP file</web-resource-name>
          <description>This constraint controls access to the OneClick Start Console JNLP file</description>
              <url-pattern>/oneclick.jnlp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/22-2/installing-and-upgrading/fresh-install/system-requirements-for-installing-ca-spectrum/spectroserver-and-oneclick-requirements/install-jre.html