United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-4518282 : RFE: Avoid multiple proxy/server authentication

Details
Type:
Enhancement
Submit Date:
2001-10-23
Status:
Resolved
Updated Date:
2002-12-10
Project Name:
JDK
Resolved Date:
2002-09-30
Component:
deploy
OS:
other,windows_nt,linux,windows_xp,windows_2000
Sub-Component:
plugin
CPU:
x86
Priority:
P4
Resolution:
Fixed
Affected Versions:
1.3.0,1.3.1,1.3.1_03,1.4.0,1.4.1_02
Fixed Versions:
1.4.0_03 (03)

Related Reports
Backport:
Backport:
Duplicate:
Relates:

Sub Tasks

Description
When browse a page contains applet through a password protected proxy server, "Enter Network Password" dialog box appears twice.

The first time, proxy server challenge browser for username/password, this is desired behavior. However, if the requested page contains applet, subsequence download of applet classes caused "Enter Network Password" dialog box pop up from Java plugin side again. The second pop up can be avoided by abtaining Proxy-Authentication header from browser, and add this header for subsequence HTTP request.

###@###.### 2001-10-23


###@###.### 2002-04-15

Customer Problem Description;
-----------------------------

We have an applet deployed on a weblogic 6.1 server.  Our client is using the 1.3.1 plug in.  Our applet has many jar files.
For the most part everything works.  Since we have many different property files and support for 9 languages, we use the java.util.ResourceBundle class to manage loading these files.
The property files are located IN the jar files.  We only specify the language, so the names look like ... Emulator_de.properties, Emulator_en.properties, etc.

The resource bundle has a private method called calculateBundleNames.  This method defines the list of names the class will look for while trying to load the file.
This makes sense, since it is supposed to go from specific to general.
Problem:
Each time the resourcebundle tries to load a file that is not found in the jars ( Emulator_de_US.properties) it tries to go back to the server and look for the property file.
Now each time it wants to go past our proxy server and through the firewall, java asks for our name and password.
Our product works fine as long as we type in our name and password around 50 times.

Why can it not remember the username and password?  I believe this is because it is opening a new connection each time.

We would like some way of getting around this.

We would also like to reduce traffic.  If I have 20,000 people logging in each day, that are each making 50 unnecessary hits looking for classes ....
we are talking about 20,000 x 50 = 1,000,000 unnecessary requests to the server.

TESTCASEBEGIN
Create an applet with many properties files.
Make sure there is a proxy server / firewall in between the client and the server.
Try to use resource bundle to read the properties files from the jars.

This should prompt you for you name and password for each time it looks back at the server.




TESTCASEEND



                                    

Comments
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
1.4.0_03
1.4.1_02
mantis

FIXED IN:
1.4.0_03
1.4.1_02
mantis

INTEGRATED IN:
1.4.0_03
1.4.1_02
mantis
mantis-b03


                                     
2004-06-14
EVALUATION

After browser been challenged, browser adds Proxy-Authorization header for subsequence Http requests. But the value of the header is stored somewhere in browser side, there is not API for plugin to obtain the value right now.

###@###.### 2001-10-30

Could not reproduce what described by ###@###.###. On Java side, there is only one authentication request for all the calls back to server through the same firewall.

###@###.### 2002-04-16

It has been fixed for IE, a new REF will be open for Netscape.

###@###.### 2002-07-26


If users are still getting prompted for authentication twice in releases where this bug has been fixed, please make sure that the box for "Save this password in your password list" has been checked on the first login prompt, and also that the fully qualified hostname is being used in the URL.

###@###.### 2003-10-14
                                     
2003-10-14



Hardware and Software, Engineered to Work Together