This discussion is archived
14 Replies Latest reply: Jun 13, 2012 5:12 AM by rukbat RSS

Why do most Java applets NOT work behind a proxy?

917256 Newbie
Currently Being Moderated
Is it the case that the JVM provides implicit support for proxy servers (including NTLM authentication) or is this something that must be explicitly supported by the Applet?

I ask this as we recently implemented a Forefront TMG proxy server which uses integrated (NTLM) authentication. Everything in the browser works except for Java Applets (or at least 100% of the ones I've tried).

Microsoft claims that we need to individually unblock each URL that need access, this seems crazy to me: http://support.microsoft.com/kb/925881

I've been able to establish that Java supports proxy servers with NTLM authentication, but what is not clear to me is if that is a global JVM setting or simply left to the Applet developers discretion.

I would appreciate any help.

Thanks!

Paul Swanson
  • 1. Re: Why do most Java applets NOT work behind a proxy?
    EJP Guru
    Currently Being Moderated
    Is it the case that the JVM provides implicit support for proxy servers (including NTLM authentication)
    The question is ill-formed. The JVM provides nothing. The java.net classes provide http.proxyHost/proxyPort, https.proxyHost/proxyPort, ftp.proxyHost/proxyPort, socksProxyHost/ProxyPort, and java.net.Proxy & ProxySelector. See Java Networking and Proxies.
    or is this something that must be explicitly supported by the Applet?
    More probably it is provided by the browser in the case of an Applet but I am no expert on that.
    I ask this as we recently implemented a Forefront TMG proxy server which uses integrated (NTLM) authentication. Everything in the browser works except for Java Applets (or at least 100% of the ones I've tried).
    Java applets doing what? Being loaded? connecting their own Sockets? URLs?
  • 2. Re: Why do most Java applets NOT work behind a proxy?
    DrClap Expert
    Currently Being Moderated
    I'm sure I have loaded Java applet tutorials successfully at work, where we also have one of those TMG Forefront beasts. Try Getting Started With Applets and see if the applet loads for you.
  • 3. Re: Why do most Java applets NOT work behind a proxy?
    917256 Newbie
    Currently Being Moderated
    OK, I'll reword.

    Does a Java Applet, running in a web browser, trying to access resources on the Internet through an authenticating proxy (such as TMG or maybe Squid) need the developer to explicitly support proxy authentication to succeed?

    Thanks ...
  • 4. Re: Why do most Java applets NOT work behind a proxy?
    917256 Newbie
    Currently Being Moderated
    BUMP

    Does a developer need to explicitly support proxy authentication for an Applet to gain access to the Internet behind an authenticating http proxy?
  • 5. Re: Why do most Java applets NOT work behind a proxy?
    EJP Guru
    Currently Being Moderated
    I doubt it. We have an applet deployed that has been used in all sorts of corporate situations over which I have no control, and we've had no reports concerning that.
  • 6. Re: Why do most Java applets NOT work behind a proxy?
    917256 Newbie
    Currently Being Moderated
    Thanks for the response.

    Watching proxy logs I can see that all Java Applets hit the proxy as anonymous requests, despite JRE using the browser proxy settings, whereas all other traffic from the browser is authenticated.

    So, if I were developing an Applet that didn't explicitly implement a http proxy authentication method, could I rely solely on the JRE / browser proxy settings to allow access out to the web?

    I've read the Java developer documentation (see above Java Networking & Proxies url) but haven't seen a clear answer. It usually says something like " ... you can specify the proxy ...", but doesn't directly answer whether explicit support is required or not. Microsoft are currently implying that http authentication should be explicitly supported by the developer (see above technet article).

    Just wondering if there is a definitive answer to be had.

    Thanks,

    Paul S.
  • 7. Re: Why do most Java applets NOT work behind a proxy?
    EJP Guru
    Currently Being Moderated
    Sorry I can't answer any of that. I'm not behind a proxy myself. I agree the documentation needs work. Be sure to use the Class/resource methods for retrieving things where possible rather than just URLs, so if there is any magic behind the scenes you are hooking into it.
  • 8. Re: Why do most Java applets NOT work behind a proxy?
    892952 Newbie
    Currently Being Moderated
    You don't need to specify anything particularly to make applet work for proxy authentication (or NTLM authentication). But Java applet is using different session to estabilish the connect, so you will see one authentication from Browser session, and another one from JRE session.

    You can write a simple applet and host it in that authentication server, you should see two authentication dialog box, after you enter the password, applet should loads successfully.

    If not, then you need to take a look the authentication server configuration, and what is the JRE version you are using?
  • 9. Re: Why do most Java applets NOT work behind a proxy?
    917256 Newbie
    Currently Being Moderated
    Thanks for your response.

    You're right, JRE does establish a proxy server connection separate to that of the web browser however the JRE connection does not attempt to authenticate.

    In this case, the JRE is configured with the correct proxy server details yet it only attempts anonymous connections; it never prompts for authentication details. I've been able to confirm this by watching proxy logs.

    The proxy server is running Forefront TMG, quite common. JRE is generally 1.6.0_29, does the same on 30.

    I can't quite understand how all web browsers are able to initiate authenticated connections but JRE simply doesn't. I've even tried giving the JRE explicit http proxy authentication details, but no change in behaviour.

    I guess what I'm saying is, I can't see any evidence that JRE does implicitly support proxy authentication for Applets.

    Thanks!
  • 10. Re: Why do most Java applets NOT work behind a proxy?
    917256 Newbie
    Currently Being Moderated
    As a help to anyone facing this issue here's an update.

    The current status is that web requests from Java applets won't authenticate themselves when faced with a Forefront TMG proxy that implements mandatory authentication. Microsoft claims that TMG will support any CERN compliant requests for authentication but recognizes that Java applets normally don't work. Oracle documentation at best hints that authentication is implicitly supported, although doesn't directly address this. One of them is guilty of harboring bogusness; I've no way of telling who.

    So, here's what we've done until someone their product out:

    * Created an unauthenticated Squid Proxy and limited access to Java clients (using regex)
    * Used Java Deployment Configuration, implemented via Windows Group Policy, to point Java at this proxy

    (http://docs.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/properties.html)

    Good luck to you all and let's hope for Oracle / Microsoft to pull their fingers out on this one.
  • 11. Re: Why do most Java applets NOT work behind a proxy?
    943157 Newbie
    Currently Being Moderated
    [Re-posting the comment, which is strictly related to the topic/thread discussion, since this post of mine has vanished from this thread a couple of minutes after being posted-published yesterday; without any notice being provided.]

    Hi. We have exactly the same issue between Oracle JRE and Microsoft Forefront TMG 2010. JRE is unable to authenticate through Forefront TMG proxy that implements mandatory authentication, in the following conditions:

    I have pinpointed that this issue only occurs when:

    * accessing to Java applets sites from [thousands] Roaming user profiles (NOTE: with local profiles the authentication, NTLM handshake process, works fine; proxy address provided through GPO);

    * JRE deployment has been done through GPO/MSI JRE file to [over a thousand] client computers (with latest releases of JRE6 till current JRE7u4; MSFT Windows 7 x86 and x64 OS client editions / Win2k3 and also 2k8 AD infrastructures; MSIE 9 and Mozilla Firefox 1x browsers).

    I have emailed screenshots and detailed data twice, along with availability to provide network captures and even remote access to our corporate networks (Education environment), to javasedocs_us@oracle.com in last April, but sill no answer till now.

    The workaround was to create a non-authenticated rule in Forefront TMG proxy, adding all the sites with Java applets that need to be accessed, bypassing the mandatory authentication.

    Any help/feedback to find a solution would be welcome.
    Thanks in advance.

    Edited by: 940154 on 13/Jun/2012 3:36
  • 12. Re: Why do most Java applets NOT work behind a proxy?
    gimbal2 Guru
    Currently Being Moderated
    940154 wrote:
    [Re-posting the comment, which is strictly related to the topic/thread discussion, since this post of mine has vanished from this thread a couple of minutes after being posted-published yesterday; without any notice being provided.]
    Someone should have added a comment then as it was a moderation action. The reason why your post, and also this one in the future, disappeared is because you hijacked a thread for your own purpose. If you want help, start your own thread and leave old ones belonging to someone else alone.
  • 13. Re: Why do most Java applets NOT work behind a proxy?
    943157 Newbie
    Currently Being Moderated
    @gimbal2

    Thank you for your prompt answer. I see your point, although i can't agree with it since the issue is the same as described through the whole thread (involving the above mentioned software from two of the most renowned softwarehouses worldwide), which it is not a closed thread/issue: if i open a new thread i would be illogically duplicating the same issue described at this thread, which, as far as i am aware, has not yet been properly addressed.

    It is not my intention to hijack anyone's thread: what i have added to the current discussion were more details about the issue gathered from experiencing this same unsolved issue in a large production environment.
    As far a i see, it can be helpful to others facing the same issue and also to Oracle developers; and i further confirm that i have also described this same issue along similar lines to Microsoft, also without a clear answer till now.

    Kind regards.

    Edited by: 940154 on 13/Jun/2012 4:39
  • 14. Re: Why do most Java applets NOT work behind a proxy?
    rukbat Guru Moderator
    Currently Being Moderated
    Moderator Action:
    i can't agree with it since the issue is the same as described through the whole thread
    Irrelevant.
    which it is not a closed thread/issue
    ... because the original poster abandoned it (and the OTN forums) months ago.
    It is not my intention to hijack anyone's thread
    ... yet you did, and did it twice, which is now appearing as being rude.

    This thread is now locked.
    ALWAYS post your own new thread unless you are directly offering a solution to a recent inquiry.
    When you do so, feel free to include a link to an earlier discussion if it might be relevant.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points