Issue Details (XML | Word | Printable)

Key: TYRUS-204
Type: Improvement Improvement
Status: Open Open
Priority: Major Major
Assignee: Unassigned
Reporter: Pavel Bucek
Votes: 5
Watchers: 3

If you were logged in you would be able to see more operations.

Improve client-side proxy support

Created: 24/Jun/13 12:54 PM   Updated: 04/Apr/14 12:48 PM
Component/s: None
Affects Version/s: 1.1
Fix Version/s: None

Time Tracking:
Not Specified

Participants: jewel-sea, kimiy, mthornton and Pavel Bucek

 Description  « Hide
  • proxy authentication
  • ProxySelector support

please vote/comment if you want this to be implemented.

jewel-sea added a comment - 26/Aug/13 11:23 PM

We have an upcoming project where we would like to install a Tyrus based Websocket client behind enterprise firewalls which can only communicate to a cloud hosted service via port 443 outbound. In such a deployment, it is possible that some of our customers may use an authenticated proxy on port 443 outbound. We would like to see client-side proxy support in Tyrus improved to handle this functionality so that we can offer this deployment option to our customers.

Our deployment architecture is similar to (note that is not our project, but the FoxWeave agent running as a websocket client operating within the enterprise firewall operates in a somewhat similar manner).

Pavel Bucek added a comment - 27/Aug/13 07:04 AM

Thanks for your comment!

Can you please list auth schemes which you consider as must-have?

jewel-sea added a comment - 19/Dec/13 01:29 AM

I am more familiar with http style proxy auth than websocket style proxy auth (maybe they actually end up being the same thing). But I think the required auth mechanism would be basic auth and (potentially) digest auth.

kimiy added a comment - 10/Mar/14 06:21 AM

We have same problem. We try to connect through client-side proxy, but proxy returns "HTTP/1.1 407 Proxy Authentication Required".

Pavel Bucek added a comment - 10/Mar/14 07:41 AM

@kimiy: can you please add information about authentication scheme(s) your proxy supports/requires? Thanks!

kimiy added a comment - 11/Mar/14 01:03 AM

Our proxy requires Basic authentication scheme.

Pavel Bucek added a comment - 11/Mar/14 03:59 PM

@kimiy, can you please try following branch - just to see whether it will work for you?

(clone, build using "mvn clean install -Dmaven.test.skip" and then use Tyrus libraries version 1.6-SNAPSHOT)

It adds support for changing headers of request to be used as proxy "handshake". Simple usage is present in EchoTest:

client.getProperties().put(GrizzlyClientSocket.PROXY_URI, "http://my.proxy:8080"); // or -Dhttp.proxyHost and -

final HashMap<String, String> headers = new HashMap<String, String>();
headers.put("Proxy-Authorization", "Basic " + Base64Utils.encodeToString("username:password".getBytes(Charset.forName("UTF-8")), false));

client.getProperties().put(GrizzlyClientSocket.PROXY_HEADERS, headers);

Please try to replace "username:password" with your credentials. (I don't have any proxy which requires authentication currently available).

Also any comments about this (low-level) solution is also welcomed. I think we can come up with better, high level solution, something similar to jersey or apache http client, but that will require more time (and we will most likely start with standard authentication rather than jump into proxies).

Thanks and regards,

kimiy added a comment - 12/Mar/14 08:13 AM

I tried it, and I got success to connect through client-side proxy with authentication.
In our case, its solution works well.

Thank you so much.

Pavel Bucek added a comment - 12/Mar/14 11:36 AM

great, thanks for confirmation. I'll clean up the code and merge this workaround to master branch.

mthornton added a comment - 04/Apr/14 12:48 PM

The proxies we see are mostly Windows IIS with domain authentication. Our users want the authentication to proceed using cached credentials (i.e. the one used to login to Windows). The authentication schemes accepted are typically Negotiate, Kerberos and NTLM. Basic is NOT permitted.

The standard Java HttpURLConnection does manage to negotiate these proxies.