United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6955280 Java Plug-in fails to remember the password for some resource
JDK-6955280 : Java Plug-in fails to remember the password for some resource

Details
Type:
Bug
Submit Date:
2010-05-24
Status:
Resolved
Updated Date:
2010-10-11
Project Name:
JDK
Resolved Date:
2010-10-11
Component:
deploy
OS:
windows_xp
Sub-Component:
plugin
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u18,6u20
Fixed Versions:
6u23 (b02)

Related Reports
Backport:
Duplicate:
Relates:

Sub Tasks

Description
??????J2SE Version (please include all output from java -version flag):
6u20
 

Does this problem occur on J2SE 1.4.x or 5.0.x or 6.0?Yes / No (pick one)
Yes


Operating System Configuration Information (be specific):
Windows


Bug Description:


There is an issue where the "remember my password" checkbox at the browser level was
insufficient 
to avoid being authenticated by both the browser and the Java Plug-In.
The similar checkbox 
at the Java Plug-In level was there specifically to address the
inability to reliably obtain 
such information from the browser.

Some customers raise the issue that using *both* checkboxes is insufficent for them
to avoid 
having to re-authenticate with each Java Plug-In VM (for a given
authenticated resource).

With some further testing it appears that the Java Plug-In fails to remember the
password for some resources.

Attached a simple test case as test.zip (the Java source is in TestApplet.java), 
the target 
resource and the tested configuration (protocols and browsers used).  

To use this:

   1. Unzip this into an expanded web app doc base.
   2. In the HTML files resulting from the expansion, replace "jmholle03l.ptcnet.ptc.com/PDMLinkX20" with your web site hostname/port and web app name.
   3. Expose/host/deploy this doc base via HTTP
   4. Require basic authentication (using the same realm) on
          * servlet/WindchillAuthGW/wt.httpgw.HTTPAuthentication/login
          * Note that this is a static file simulating a servlet URL.  I am not using a servlet in this test so as to show that this is purely a matter of the URL involved, not the servlet.
   5. Try appletTest1.html
          * Select the Java checkbox to remember the password.
          * Exit the browser and try again.
          * We see a Java authentication prompt even though the checkbox was checked the previous time.  This should not occur and is the customer complaint.
   6. Try again for appletTest2.html as desired

The really odd thing here is that Java Plug-In will remember the credentials for some
URLs and utterly 
fails to do so for other URLs.  It does not appear to be a matter of
different reponse headers or 
any such issue -- rather purely one of the URL involved.
 
One can require authenticated for the 
web app's test/testResource.txt resource and
change the applet's "url" parameter to refer to it 
rather than to
servlet/WindchillAuthGW/wt.httpgw.HTTPAuthentication/login and one will see that
 
in this case the Java Plug-In manages to remember the credentials just fine.

This is with Java 6 Update 20, but believe the customer reports are from older 
Java 6 (and/or Java 5) versions.

                                    

Comments
EVALUATION

I have host the test applet on my own https webserver with BasicAuthentication is on:
https://129.148.174.126/httpsSecurity/BasicSecurity/6955280/test/appletTest1.html
https://129.148.174.126/httpsSecurity/BasicSecurity/6955280/test/appletTest2.html

Both above testcase work fine when checkbox is checked.
                                     
2010-05-25



Hardware and Software, Engineered to Work Together