JDK-6239717 : plugin displays basic authentication prompt unnecessarily
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 5.0
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_98
  • CPU: x86
  • Submitted: 2005-03-11
  • Updated: 2010-04-02
  • Resolved: 2005-09-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6
6Resolved
Related Reports
Duplicate :  
JDK-6318281 - Selecting Cancel from the Authentication Dailog in Web Start & Plug In does not work as expected
Description
FULL PRODUCT VERSION :
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-b64)
Java HotSpot(TM) Client VM (build 1.5.0-b64, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Windows 98 [Version 4.10.2222]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Using Internet Explorer version build 6.0.2600.0000IS to connect to a webserver running IIS 5.

A DESCRIPTION OF THE PROBLEM :
Users who have already authenticated on a webserver are reprompted for basic authentication by the plugin within Internet Explorer under certain conditions.

The problem occurs when the classes used by an applet are located in a different directory under the server root from the directory where authentication originally took place. If authentication initially takes place at the server root then there is no problem.

When the java plugin prompts for authentication, you can click "no". It will redisplay the prompt. If you click "no" for a second time it will proceed to load the applet successfully!

Note that similar bugs exist in the database and are marked as fixed. This bug is still extant. I suspect that testing has not duplicated these particular conditions so has not replicated the bug.

The bug only affects IE, the plugin under Firefox works fine.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Users connect to our intranet (an IIS 5 server) at the following url:

http://intranet/maindir/

They are prompted for basic authentication by the web server. The user enters their username and password and makes sure that the "save password in your password list" option is checked (so they don't have to keep retyping their login details). After authenticating, they navigate to a page that contains an applet. The url of the page is:

http://intranet/maindir/appletpage.html

The applet references class files, etc, that are located under here:

http://intranet/javastuff/

So the java classes are in a separate folder off the root, from the pages where authentication initially took place.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The applet should load without a problem. Once a user has authenticated on a server the authentication applies to the whole server so the user should not be reprompted for authentication. This is how IE handles requests for normal files and it is how the plugin behaves when running in different web browsers, e.g. Firefox.
ACTUAL -
When the applet loads, the java plugin prompts for basic authentication again. This is despite the user having already authenticated on the server.

If the user enters their username and password again and clicks "Yes", the applet loads and they are not reprompted for authentication for the rest of the browser session.

If the user does not enter their username and password but instead click "no". The authentication dialog is redisplayed. If they again click "no", the applet loads successfully anyway. However, the next time they access a page containing the same applet they are again prompted for authentication.

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Any applet will do, so long as the arrangement of files and folders on the server is as described above and the server requires basic authentication.
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Users need to initially connect to the server at the root folder level, i.e.

http://intranet/

And authenticate at this level. The plugin then does not reprompt for any authentication.
###@###.### 2005-03-11 21:50:46 GMT
Comments
EVALUATION There are two issues reported in this bug: 1. Users who have already authenticated on a webserver are reprompted for basic authentication when the classes used by an applet are located in a different directory under the server root from the directory where authentication originally took place. 2. When the java plugin prompts for authentication, you can click "no". It will redisplay the prompt. If you click "no" for a second time it will proceed to load the applet successfully! The first issue has been fixed in Mustang and backport to 5.0 update release. The second issue still exist, and we have another bug opened, I will mark this bug as a duplicate of 6318281.
01-09-2005