2

Our applet is behind Microsoft ISA Server which has integrated proxy authentication.Isa Proxy server returns http 405(NOT 407) for connections which has no authentication credentials on it.There for my java.net.Authenticator class does not get called. how can i authenticate my connections to the proxy server in this situation?

Applet is signed and compiled with java1.6. URLConnection class is used for the connections.

Jonas
  • 97,987
  • 90
  • 271
  • 355
e13420xx
  • 698
  • 1
  • 7
  • 24

1 Answers1

2

I can see two approaches to working around this problem and neither is really ideal. First, I'm guessing that you've verified that sending the request with the authorization information does not result in a 405 response code? If the answer is yes, you can try setting the Proxy-authorization header in the request as a header:

URL url = new URL("http://location");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestProperty("Proxy-authorization", authorizationValue);

The format of that header will depend upon the authorization scheme that is required by the proxy server, so you'll have to do some research for your particular scenario.

The second approach involves subclassing an internal JDK class to spoof the response code to force the normal proxy authentication path. First, here is the subclass:

public class HttpURLConnection extends sun.net.www.protocol.http.HttpURLConnection {

    @Override
    public int getResponseCode() throws IOException {
        int code = super.getResponseCode();
        if (code == HTTP_BAD_METHOD) {
            code = HTTP_PROXY_AUTH;
            responseCode = code;
        }
        return code;
    }

}

Of course, this will mask any actual 405 responses so it could have unintended consequences. Telling the URL object to use this requires a subclass of java.net.URLStreamHandlerFactory:

public class URLStreamHandlerFactory extends java.net.URLStreamHandlerFactory {
    @Override
    URLStreamHandler createURLStreamHandler(String protocol) {
        if (!protocol.equals("http")) {
            return null;
        } else {
            return new java.net.URLStreamHandler {
                protected String proxy;
                protected int proxyPort;

                public Handler () {
                    proxy = null;
                    proxyPort = -1;
                }

                public Handler (String proxy, int port) {
                    this.proxy = proxy;
                    this.proxyPort = port;
                }

                @Override
                protected java.net.URLConnection openConnection(URL u) throws IOException {
                        return openConnection(u, (Proxy)null);
                }

                @Override
                protected java.net.URLConnection openConnection(URL u, Proxy p) throws IOException {
                        return new HttpURLConnection(u, p, this);
                }

                @Override
                protected int getDefaultPort() {
                    return 80;
                }

            }
        }
    }
}

Then you can use this object by calling URL.setURLStreamHandlerFactory(new URLStreamHandlerFactory()); somewhere in initialization code. I found this site and this site useful for looking at how the core Java classes work. If you need to support HTTPS then you will need to make similar changes for that protocol.

Hopefully one of these solutions could be useful for you. I'm not completely sure that the latter approach will work inside an Applet's security constraints. The former should though. It is also possible that this might be easier to do with a different HTTP library such as Apache HttpComponents if you are able to use it.

laz
  • 27,169
  • 5
  • 51
  • 50
  • in approach one the header will be Proxy-authorization? or Proxy-authentication header?.authentication protocol differs time to time (ntlm or kerberos) and because of that this approach will be very hard i think? in approach two:do you think setting the response code will be sufficient? i think also need to set some headers about what kind of authentication needed? – e13420xx Jul 26 '11 at 16:43
  • Aproach on it will be `Proxy-authorization`. It sounds like it will be extremely difficult if the scheme is changing. So it is returning `405` but not what type of authentication is required? In that case, yes you will also have to include any necessary `Proxy-Authenticate` response headers too. Is the proxy server mis-configured or something? This sounds like seriously broken behavior! Does the server work with anything correctly, such as a browser? – laz Jul 26 '11 at 16:51
  • I dont know why they have configured it like that but thats what they did. the client at that network have very limitted access to the web they mostly browsing locally.obviously they cant change it now because of the problems that may rise therefor they want this to be solved on the client side. – e13420xx Jul 26 '11 at 17:02
  • I think I'd go with trying the first approach I suggested then and try creating the appropriate header value. – laz Jul 26 '11 at 17:30