[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] HttpClient proxy tunnel pre-authentication
|
Hi,
On Tue, Feb 11, 2014 at 3:07 AM, Gautam Pulla <gpulla@xxxxxxxx> wrote:
> Hello,
>
>
>
> I’m trying to use the HttpClient from Jetty 9.1.1.v20140108 to tunnel
> through a proxy-server using proxy-authentication.
>
>
>
> I see that the Jetty client connects to the proxy without credentials, upon
> which the proxy sends a 407 “proxy authentication required” response back.
> The Jetty client then looks in the HTTP authentication store for suitable
> credentials (with matching realm & URI) to use in the next request on the
> connection.
>
>
>
> The problem is, some proxies, such as Squid promptly drop the connection
> upon authentication failure – and there is no opportunity to submit a second
> request with the proxy-authenticate header.
>
>
>
> Following are the request & response logged by Jetty which shows that no
> authentication header was initially sent. The “Connection: close” header
> from Squid shows that the connection is dropped by Squid on an auth
> failures.
>
>
>
> 17:56:11.159
> [HttpClient@469537924-12-selector-ClientSelectorManager@18688fe1/0] DEBUG
> org.eclipse.jetty.client.HttpSender - Request headers HttpRequest[CONNECT
> hawker.flyer.qagood.com:443 HTTP/1.1]@7a7ac5
>
> Accept-Encoding: gzip
>
> Host: hawker.flyer.qagood.com:443
>
> User-Agent: Jetty/9.1.1.v20140108
>
>
>
> 17:56:11.182 [HttpClient@469537924-18] DEBUG
> o.eclipse.jetty.client.HttpReceiver - Response headers HttpResponse[HTTP/1.0
> 407 Proxy Authentication Required]@4838eb55
>
> Server: squid/2.7.STABLE8
>
> Date: Tue, 11 Feb 2014 01:56:11 GMT
>
> Content-Type: text/html
>
> Content-Length: 1373
>
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
>
> Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
>
> X-Cache: MISS from GASLAMP03.ocs.qagood.com
>
> X-Cache-Lookup: NONE from GASLAMP03.ocs.qagood.com:3128
>
> Via: 1.0 GASLAMP03.ocs.qagood.com:3128 (squid/2.7.STABLE8)
>
> Connection: close
>
>
>
> This is the Jetty HttpClient related code that creates the CONNECT request &
> sends it to the proxy, and clearly there is no authentication header
> supplied at this stage:
>
>
>
> org.eclipse.jetty.client.HttpProxy.HttpProxyClientConnectionFactory.ProxyPromise.tunnel(HttpDestination,
> Connection)
>
>
>
> private void tunnel(HttpDestination destination, final
> Connection connection)
>
> {
>
> String target =
> destination.getOrigin().getAddress().asString();
>
> Origin.Address proxyAddress =
> destination.getConnectAddress();
>
> HttpClient httpClient = destination.getHttpClient();
>
> Request connect =
> httpClient.newRequest(proxyAddress.getHost(), proxyAddress.getPort())
>
> .scheme(HttpScheme.HTTP.asString())
>
> .method(HttpMethod.CONNECT)
>
> .path(target)
>
> .header(HttpHeader.HOST, target)
>
> .timeout(httpClient.getConnectTimeout(),
> TimeUnit.MILLISECONDS);
Confirmed, it's a bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=427878
> Is there a way to make this scenario work? What seems to be required is the
> ability to ‘pre-authenticate’.
Yes, that exposes bug2 :( but you can work it around in this way:
final URI uri = URI.create("http://localhost:" + proxyPort());
final String value = "Basic " + B64Code.encode("user:password",
StandardCharsets.ISO_8859_1);
httpClient.getAuthenticationStore().addAuthenticationResult(new
Authentication.Result()
{
@Override
public URI getURI()
{
return uri;
}
@Override
public void apply(org.eclipse.jetty.client.api.Request request)
{
request.header(HttpHeader.PROXY_AUTHORIZATION, value);
}
});
Bug2 is that class BasicAuthentication.BasicResult should be public in
order to allow you a simpler way to add authentication results.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
http://intalio.com
Developer advice, training, services and support
from the Jetty & CometD experts.
Intalio, the modern way to build business applications.