Improve client-side proxy support

[glassfishrobot]

• proxy authentication
• ProxySelector support

please vote/comment if you want this to be implemented.

Affected Versions

[1.1]

[glassfishrobot]

• Issue Imported From: https://github.com/tyrus-project/tyrus/issues/381
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @pavelbucek

[glassfishrobot]

@glassfishrobot Commented Reported by @pavelbucek

[glassfishrobot]

@glassfishrobot Commented jewel-sea said: We have an upcoming project where we would like to install a Tyrus based Websocket client behind enterprise firewalls which can only communicate to a cloud hosted service via port 443 outbound. In such a deployment, it is possible that some of our customers may use an authenticated proxy on port 443 outbound. We would like to see client-side proxy support in Tyrus improved to handle this functionality so that we can offer this deployment option to our customers.

Our deployment architecture is similar to http://cloudbees.foxweave.com/images/blog/websockets-and-transparent-proxies/images/in-house-deployment-illustration.png (note that is not our project, but the FoxWeave agent running as a websocket client operating within the enterprise firewall operates in a somewhat similar manner).

[glassfishrobot]

@glassfishrobot Commented @pavelbucek said: Thanks for your comment!

Can you please list auth schemes which you consider as must-have?

[glassfishrobot]

@glassfishrobot Commented jewel-sea said: I am more familiar with http style proxy auth than websocket style proxy auth (maybe they actually end up being the same thing). But I think the required auth mechanism would be basic auth and (potentially) digest auth.

[glassfishrobot]

@glassfishrobot Commented kimiy said: We have same problem. We try to connect through client-side proxy, but proxy returns "HTTP/1.1 407 Proxy Authentication Required".

[glassfishrobot]

@glassfishrobot Commented @pavelbucek said: @kimiy: can you please add information about authentication scheme(s) your proxy supports/requires? Thanks!

[glassfishrobot]

@glassfishrobot Commented kimiy said: Our proxy requires Basic authentication scheme.

[glassfishrobot]

@glassfishrobot Commented @pavelbucek said: @kimiy, can you please try following branch - just to see whether it will work for you?

https://github.com/pavelbucek/tyrus/tree/proxy-headers

(clone, build using "mvn clean install -Dmaven.test.skip" and then use Tyrus libraries version 1.6-SNAPSHOT)

It adds support for changing headers of request to be used as proxy "handshake". Simple usage is present in EchoTest:

client.getProperties().put(GrizzlyClientSocket.PROXY_URI, "http://my.proxy:8080"); // or -Dhttp.proxyHost and - 
final HashMap<String, String> headers = new HashMap<String, String>();
headers.put("Proxy-Authorization", "Basic " + Base64Utils.encodeToString("username:password".getBytes(Charset.forName("UTF-8")), false));

client.getProperties().put(GrizzlyClientSocket.PROXY_HEADERS, headers);

Please try to replace "username:password" with your credentials. (I don't have any proxy which requires authentication currently available).

Also any comments about this (low-level) solution is also welcomed. I think we can come up with better, high level solution, something similar to jersey or apache http client, but that will require more time (and we will most likely start with standard authentication rather than jump into proxies).

Thanks and regards, Pavel

[glassfishrobot]

@glassfishrobot Commented kimiy said: I tried it, and I got success to connect through client-side proxy with authentication. In our case, its solution works well.

Thank you so much.

[glassfishrobot]

@glassfishrobot Commented @pavelbucek said: great, thanks for confirmation. I'll clean up the code and merge this workaround to master branch.

[glassfishrobot]

@glassfishrobot Commented mthornton said: The proxies we see are mostly Windows IIS with domain authentication. Our users want the authentication to proceed using cached credentials (i.e. the one used to login to Windows). The authentication schemes accepted are typically Negotiate, Kerberos and NTLM. Basic is NOT permitted.

The standard Java HttpURLConnection does manage to negotiate these proxies.

[glassfishrobot]

@glassfishrobot Commented This issue was imported from java.net JIRA TYRUS-204

[Nagasathi]

We are in need of this feature. We have a customer, where Blue Coat proxy server is setup with NTLM (Negotiate) protocol for authentication. It would be greatly appreciated, if this issue is taken up development soon.