After updating the JVM to one of the latest version 1.6 builds, our users started to experience a problem with opening java applets.
All the users have JVM versions 1.6.0_19 – 1.6.0_26 on Windows 7/2008. The browser is IE8. On the server usually there is IIS7, with ‘Integrated Windows authentication’
on applet’s virtual folder. Applet’s classes are packaged into a signed JAR file. Both the client and the server are located in the same local area network with no proxy or firewall between them.
The applet’s website usually belongs to the trusted security zone. When loaded, the applet establishes HTTP connection to the server to get the necessary data.
When the user tries to open an HTML page containing the applet, there can be the following scenarios:
1. The applet fails to load. We’re getting a ‘red cross’ screen. All the HTML elements except of the applet are loaded OK.
From the IIS log we can see that the loading of the JAR file failed with the error code 401, the user name field in the log for the JAR is empty.
2. The java asks for the user name and password showing a popup ‘Authentication required’. At this moment we can see the following message in the Java console:
network: Firewall authentication: site=/XX.XX.XX.XX:XX, protocol=http, prompt=, scheme=ntlm
If the user enters the correct credentials, the applet loads OK. Even if the user checks the ‘Save the password in your password list’ checkbox, Java continues to ask for credentials
on every page reload. It’s worth to note that the company’s external firewall doesn’t get any requests from the applet.
The problems happen even when the client and the server are located on the same machine, but never happens when we use localhost as the server name in the page URL.
During investigations we found out the following workarounds:
1. Enabling anonymous authentication on the virtual folder always solves the problem.
2. Sometimes, changing security zone from ‘Trusted’ to ‘Local intranet’ solves the scenario 2 (‘Authentication required’ popup) problem.
It’s worth to note that changing the security zone never helps if the page URL contains dots (for example, uses IP address instead the server name).
3. Upgrading to IE9 solves the scenario 2 problem partly: Java asks for the credentials only once.
So when I launch my web application into a browser, the auto-connection is successfully performed (single sign-on through Upstream, kerberos, remote_user, ...). But when I want to launch the applet in the web application, a new authentication panel (red panel with "authentication required") occurs in order to set credentials (login, password, domain) with the message in the java applet console:
"network: Firewall authentication: site=myApplicationUrl, protocol=http, prompt=, scheme=ntlm"
So why the applet doesn't inherit previous credentials in this case ??
Have you solved this problem ?
Edited by: 886341 on 20 sept. 2011 08:56
There is a bug fix in JRE 6u24, after this fix, Java applet will only use transparent authentication if the URL is belonging to certain type of security zone in Internet security zone setting for NTLM authentication.
I think the difference you noticed is due to above change, but the fix is in JRE6u24 and later, please let me know which JRE update release you noticed the regression, and how about our latest JRE 6u27?
By the way, do you have a simple testcase which can reproduce this issue, we would like to test it out.
I am a little concerned about the responses from forum members 'JoeM' and 'dgu'. There is an implication from both members that they are in some way associated with Oracle and that based on this thread Oracle will investigate the original problem. This site is a forum and most member have no direct association with Oracle and in general do not speak for Oracle. I do not know how these members are associated with Oracle but as far as I am aware the only way to get Oracle to investigate problems such as reported here is to go via the bug reporting system ( http://bugreport.sun.com/bugreport/ ).