Hi, On Tue, Feb 11, 2014 at 3:07 AM, Gautam Pulla <[email protected]> wrote: > Hello, > > > > I’m trying to use the HttpClient from Jetty 9.1.1.v20140108 to tunnel > through a proxy-server using proxy-authentication. > > > > I see that the Jetty client connects to the proxy without credentials, upon > which the proxy sends a 407 “proxy authentication required” response back. > The Jetty client then looks in the HTTP authentication store for suitable > credentials (with matching realm & URI) to use in the next request on the > connection. > > > > The problem is, some proxies, such as Squid promptly drop the connection > upon authentication failure – and there is no opportunity to submit a second > request with the proxy-authenticate header. > > > > Following are the request & response logged by Jetty which shows that no > authentication header was initially sent. The “Connection: close” header > from Squid shows that the connection is dropped by Squid on an auth > failures. > > > > 17:56:11.159 > [HttpClient@469537924-12-selector-ClientSelectorManager@18688fe1/0] DEBUG > org.eclipse.jetty.client.HttpSender - Request headers HttpRequest[CONNECT > hawker.flyer.qagood.com:443 HTTP/1.1]@7a7ac5 > > Accept-Encoding: gzip > > Host: hawker.flyer.qagood.com:443 > > User-Agent: Jetty/9.1.1.v20140108 > > > > 17:56:11.182 [HttpClient@469537924-18] DEBUG > o.eclipse.jetty.client.HttpReceiver - Response headers HttpResponse[HTTP/1.0 > 407 Proxy Authentication Required]@4838eb55 > > Server: squid/2.7.STABLE8 > > Date: Tue, 11 Feb 2014 01:56:11 GMT > > Content-Type: text/html > > Content-Length: 1373 > > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > > Proxy-Authenticate: Basic realm="Squid proxy-caching web server" > > X-Cache: MISS from GASLAMP03.ocs.qagood.com > > X-Cache-Lookup: NONE from GASLAMP03.ocs.qagood.com:3128 > > Via: 1.0 GASLAMP03.ocs.qagood.com:3128 (squid/2.7.STABLE8) > > Connection: close > > > > This is the Jetty HttpClient related code that creates the CONNECT request & > sends it to the proxy, and clearly there is no authentication header > supplied at this stage: > > > > org.eclipse.jetty.client.HttpProxy.HttpProxyClientConnectionFactory.ProxyPromise.tunnel(HttpDestination, > Connection) > > > > private void tunnel(HttpDestination destination, final > Connection connection) > > { > > String target = > destination.getOrigin().getAddress().asString(); > > Origin.Address proxyAddress = > destination.getConnectAddress(); > > HttpClient httpClient = destination.getHttpClient(); > > Request connect = > httpClient.newRequest(proxyAddress.getHost(), proxyAddress.getPort()) > > .scheme(HttpScheme.HTTP.asString()) > > .method(HttpMethod.CONNECT) > > .path(target) > > .header(HttpHeader.HOST, target) > > .timeout(httpClient.getConnectTimeout(), > TimeUnit.MILLISECONDS);
Confirmed, it's a bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=427878 > Is there a way to make this scenario work? What seems to be required is the > ability to ‘pre-authenticate’. Yes, that exposes bug2 :( but you can work it around in this way: final URI uri = URI.create("http://localhost:"; + proxyPort()); final String value = "Basic " + B64Code.encode("user:password", StandardCharsets.ISO_8859_1); httpClient.getAuthenticationStore().addAuthenticationResult(new Authentication.Result() { @Override public URI getURI() { return uri; } @Override public void apply(org.eclipse.jetty.client.api.Request request) { request.header(HttpHeader.PROXY_AUTHORIZATION, value); } }); Bug2 is that class BasicAuthentication.BasicResult should be public in order to allow you a simpler way to add authentication results. -- Simone Bordet ---- http://cometd.org http://webtide.com http://intalio.com Developer advice, training, services and support from the Jetty & CometD experts. Intalio, the modern way to build business applications. _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
