search

karakun / OpenWebStart

Run Web Start based applications after the release of Java 11
https://openwebstart.com
Other
425 stars 46 forks source link

Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required" #592

Closed AlBundy33 closed 4 months ago

AlBundy33 commented 4 months ago

Is there some issue with proxy authentication?

I've tried to setup a local proxy with enabled authentication (see docker-compose.yml)

If I now start a test-app from https://docs.oracle.com/javase/tutorial/uiswing/examples/misc/ I have to login once and after that I get an exception

java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1952)
    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1947)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1946)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1516)
    at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1492)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1490)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
    at net.adoptopenjdk.icedteaweb.http.CloseableConnection.getInputStream(CloseableConnection.java:58)
    at net.adoptopenjdk.icedteaweb.resources.downloader.BaseResourceDownloader.getDownloadDetails(BaseResourceDownloader.java:237)
    at net.adoptopenjdk.icedteaweb.resources.downloader.BaseResourceDownloader.tryDownloading(BaseResourceDownloader.java:138)
    at net.adoptopenjdk.icedteaweb.resources.downloader.BaseResourceDownloader.lambda$downloadFrom$4(BaseResourceDownloader.java:125)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:750)
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
    at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2154)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:195)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1572)
    at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1492)
    at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1490)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
    at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3063)
    at java.net.HttpURLConnection.getHeaderFieldDate(HttpURLConnection.java:552)
    at java.net.URLConnection.getLastModified(URLConnection.java:559)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getLastModified(HttpsURLConnectionImpl.java:436)
    at net.adoptopenjdk.icedteaweb.http.CloseableConnection.getLastModified(CloseableConnection.java:95)
    at net.adoptopenjdk.icedteaweb.resources.downloader.BaseResourceDownloader.getDownloadDetails(BaseResourceDownloader.java:232)
    ... 5 more

docker-compose.yml

services:
  proxy:
    image: ubuntu/squid
    ports:
      - "3128:3128"
    environment:
      - TZ=Europe/Berlin
    configs:
      - source: squid_config
        target: /etc/squid/squid.conf
      - source: squid_passwords
        target: /etc/squid/passwords
  http:
    profiles:
      - pac
    image: python:3-alpine
    working_dir: "/tmp"
    configs:
      - source: proxy_pac
        target: /tmp/proxy.pac
    entrypoint:
      - "python3"
      - "-m"
      - "http.server"
    ports:
      - "8889:8000"
configs:
  squid_config:
    content: |
      http_port 3128
      debug_options ALL,1

      # https://gist.github.com/jackblk/fdac4c744ddf2a0533278a38888f3caf
      auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
      auth_param basic realm Squid proxy-caching web server
      auth_param basic credentialsttl 24 hours
      auth_param basic casesensitive off

      # https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
      acl http proto http
      acl port_80 port 80
      acl port_443 port 443
      acl CONNECT method CONNECT
      acl authenticated_users proxy_auth REQUIRED

      # rules allowing authenticated users
      http_access allow http port_80 authenticated_users
      http_access allow CONNECT port_443 authenticated_users

      # catch-all rule
      http_access deny all
  # proxy:proxy
  squid_passwords:
    content: |
      proxy:$$apr1$$yUiETSEB$$NHiEtLKYsu93jWoNhHX9M/
  # change server-name
  proxy_pac:
    content: |
      function FindProxyForURL(url, host) {
          return "PROXY localhost:3128";
      }
AlBundy33 commented 4 months ago

Seems to be my problem because I've used Basic Authentication which is disabled by default https://www.oracle.com/java/technologies/javase/8u111-relnotes.html

To enable Basic Authentication run

SET _JAVA_OPTIONS=-Djdk.http.auth.tunneling.disabledSchemes=
javaws /path/to/app.jnlp

or edit lib/net.properties in your jre-folder and change the line jdk.http.auth.tunneling.disabledSchemes=Basic to #jdk.http.auth.tunneling.disabledSchemes=Basic

AlBundy33 commented 4 months ago

or instead of using Basic Auth use Digest Auth. with the following config there is no need to re-enable basic-auth in java. :-)

services:
  proxy:
    image: ubuntu/squid
    ports:
      - "3128:3128"
    environment:
      - TZ=Europe/Berlin
    configs:
      - source: squid_config
        target: /etc/squid/squid.conf
      - source: squid_passwords
        target: /etc/squid/passwords
  http:
    profiles:
      - pac
    image: python:3-alpine
    working_dir: "/tmp"
    configs:
      - source: proxy_pac
        target: /tmp/proxy.pac
    entrypoint:
      - "python3"
      - "-m"
      - "http.server"
    ports:
      - "8889:8000"
configs:
  squid_config:
    content: |
      http_port 3128
      debug_options ALL,1

      auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwords
      auth_param digest children 5
      auth_param digest realm squid

      # https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
      acl http proto http
      acl port_80 port 80
      acl port_443 port 443
      acl CONNECT method CONNECT
      acl authenticated_users proxy_auth REQUIRED

      # rules allowing authenticated users
      http_access allow http port_80 authenticated_users
      http_access allow CONNECT port_443 authenticated_users

      # catch-all rule
      http_access deny all
  # proxy:proxy
  # htdigest -c pw squid proxy
  squid_passwords:
    content: |
      proxy:squid:c66b0b69eb1e39cbac38bc4d7f013d7b
  # change server-name
  proxy_pac:
    content: |
      function FindProxyForURL(url, host) {
          return "PROXY localhost:3128";
      }