JDK-4757518 : Unable to access applets outside a firewall with multiple proxy schemes defined
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 1.4.0
  • Priority: P1
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2002-10-03
  • Updated: 2002-10-07
  • Resolved: 2002-10-07
Related Reports
Duplicate :  
Description

Name: pa48320			Date: 10/03/2002

In a network configuration with a firewall where the proxy server is configured with multiple authentication schemes the plugin has a good chance of not being able to connect to the webserver to get the class file. This problem occurs most regularly with the MS ISA proxy server. This server is configured to authenticate using NTLM as well as Basic and Digest authentications. When the plugin attemts to connect to the webserver it receives a 407 response with several Proxy-Authenticate headers as follows:
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="proxy1.site.org"
Proxy-Authenticate: Digest qop="auth", realm="proxy1.site.org", nonce="08923450982072304702397...."
Proxy-Authenticate: Kerberos
Proxy-Authenticate: Negotiate

According to the code in sun.net.www.protocal.http.HttpURLConnection.getHttpProxyAuthentication() the headers are searched for Proxy-Authenticate. This search uses sun.net.www.MessageHeader.findValue() which only returns the first header it finds. This code needs to walk through the headers until it finds one that it can use. In fact it should walk through with some idea of which is best since it seems that the list provided by the proxy server is not orderable.
Note that the http1.1 spec seems quite clear in allowing multiple fields of this type in the header.

======================================================================

Comments
WORK AROUND Name: pa48320 Date: 10/03/2002 I can think of no workaround other than providing a pass through proxy server that reorders the proxy-authenticate fields so Digest or Basic is first. ======================================================================
11-06-2004

EVALUATION It is NOT a bug. We currently do not support NTLM scheme. ###@###.### 2002-10-04 I got it wrong. It is not becasue of NTLM, it is about mulitple authentication headers. It has nothing to do with a standard. It has everything to do with incorrectly checking the header fields. We are not asking them to support NTLM. The proxy in question also supports Basic and Digest which you DO support. The code will never see it, though, because you only look at the first one. please see my original comments in original bug filing ###@###.### 2002-10-07
07-10-2002