tyrus
  1. tyrus
  2. TYRUS-204

Improve client-side proxy support

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      • proxy authentication
      • ProxySelector support

      please vote/comment if you want this to be implemented.

        Activity

        Pavel Bucek created issue -
        Hide
        jewel-sea added a comment -

        We have an upcoming project where we would like to install a Tyrus based Websocket client behind enterprise firewalls which can only communicate to a cloud hosted service via port 443 outbound. In such a deployment, it is possible that some of our customers may use an authenticated proxy on port 443 outbound. We would like to see client-side proxy support in Tyrus improved to handle this functionality so that we can offer this deployment option to our customers.

        Our deployment architecture is similar to http://cloudbees.foxweave.com/images/blog/websockets-and-transparent-proxies/images/in-house-deployment-illustration.png (note that is not our project, but the FoxWeave agent running as a websocket client operating within the enterprise firewall operates in a somewhat similar manner).

        Show
        jewel-sea added a comment - We have an upcoming project where we would like to install a Tyrus based Websocket client behind enterprise firewalls which can only communicate to a cloud hosted service via port 443 outbound. In such a deployment, it is possible that some of our customers may use an authenticated proxy on port 443 outbound. We would like to see client-side proxy support in Tyrus improved to handle this functionality so that we can offer this deployment option to our customers. Our deployment architecture is similar to http://cloudbees.foxweave.com/images/blog/websockets-and-transparent-proxies/images/in-house-deployment-illustration.png (note that is not our project, but the FoxWeave agent running as a websocket client operating within the enterprise firewall operates in a somewhat similar manner).
        Hide
        Pavel Bucek added a comment -

        Thanks for your comment!

        Can you please list auth schemes which you consider as must-have?

        Show
        Pavel Bucek added a comment - Thanks for your comment! Can you please list auth schemes which you consider as must-have?
        Hide
        jewel-sea added a comment -

        I am more familiar with http style proxy auth than websocket style proxy auth (maybe they actually end up being the same thing). But I think the required auth mechanism would be basic auth and (potentially) digest auth.

        Show
        jewel-sea added a comment - I am more familiar with http style proxy auth than websocket style proxy auth (maybe they actually end up being the same thing). But I think the required auth mechanism would be basic auth and (potentially) digest auth.
        Hide
        kimiy added a comment -

        We have same problem. We try to connect through client-side proxy, but proxy returns "HTTP/1.1 407 Proxy Authentication Required".

        Show
        kimiy added a comment - We have same problem. We try to connect through client-side proxy, but proxy returns "HTTP/1.1 407 Proxy Authentication Required".
        Hide
        Pavel Bucek added a comment -

        @kimiy: can you please add information about authentication scheme(s) your proxy supports/requires? Thanks!

        Show
        Pavel Bucek added a comment - @kimiy: can you please add information about authentication scheme(s) your proxy supports/requires? Thanks!
        Hide
        kimiy added a comment -

        Our proxy requires Basic authentication scheme.

        Show
        kimiy added a comment - Our proxy requires Basic authentication scheme.
        Hide
        Pavel Bucek added a comment -

        @kimiy, can you please try following branch - just to see whether it will work for you?

        https://github.com/pavelbucek/tyrus/tree/proxy-headers

        (clone, build using "mvn clean install -Dmaven.test.skip" and then use Tyrus libraries version 1.6-SNAPSHOT)

        It adds support for changing headers of request to be used as proxy "handshake". Simple usage is present in EchoTest:

                    client.getProperties().put(GrizzlyClientSocket.PROXY_URI, "http://my.proxy:8080"); // or -Dhttp.proxyHost and -
        
        final HashMap<String, String> headers = new HashMap<String, String>();
        headers.put("Proxy-Authorization", "Basic " + Base64Utils.encodeToString("username:password".getBytes(Charset.forName("UTF-8")), false));
        
        client.getProperties().put(GrizzlyClientSocket.PROXY_HEADERS, headers);

        Please try to replace "username:password" with your credentials. (I don't have any proxy which requires authentication currently available).

        Also any comments about this (low-level) solution is also welcomed. I think we can come up with better, high level solution, something similar to jersey or apache http client, but that will require more time (and we will most likely start with standard authentication rather than jump into proxies).

        Thanks and regards,
        Pavel

        Show
        Pavel Bucek added a comment - @kimiy, can you please try following branch - just to see whether it will work for you? https://github.com/pavelbucek/tyrus/tree/proxy-headers (clone, build using "mvn clean install -Dmaven.test.skip" and then use Tyrus libraries version 1.6-SNAPSHOT) It adds support for changing headers of request to be used as proxy "handshake". Simple usage is present in EchoTest: client.getProperties().put(GrizzlyClientSocket.PROXY_URI, "http: //my.proxy:8080" ); // or -Dhttp.proxyHost and - final HashMap< String , String > headers = new HashMap< String , String >(); headers.put( "Proxy-Authorization" , "Basic " + Base64Utils.encodeToString( "username:password" .getBytes(Charset.forName( "UTF-8" )), false )); client.getProperties().put(GrizzlyClientSocket.PROXY_HEADERS, headers); Please try to replace "username:password" with your credentials. (I don't have any proxy which requires authentication currently available). Also any comments about this (low-level) solution is also welcomed. I think we can come up with better, high level solution, something similar to jersey or apache http client, but that will require more time (and we will most likely start with standard authentication rather than jump into proxies). Thanks and regards, Pavel
        Hide
        kimiy added a comment -

        I tried it, and I got success to connect through client-side proxy with authentication.
        In our case, its solution works well.

        Thank you so much.

        Show
        kimiy added a comment - I tried it, and I got success to connect through client-side proxy with authentication. In our case, its solution works well. Thank you so much.
        Hide
        Pavel Bucek added a comment -

        great, thanks for confirmation. I'll clean up the code and merge this workaround to master branch.

        Show
        Pavel Bucek added a comment - great, thanks for confirmation. I'll clean up the code and merge this workaround to master branch.
        Hide
        mthornton added a comment -

        The proxies we see are mostly Windows IIS with domain authentication. Our users want the authentication to proceed using cached credentials (i.e. the one used to login to Windows). The authentication schemes accepted are typically Negotiate, Kerberos and NTLM. Basic is NOT permitted.

        The standard Java HttpURLConnection does manage to negotiate these proxies.

        Show
        mthornton added a comment - The proxies we see are mostly Windows IIS with domain authentication. Our users want the authentication to proceed using cached credentials (i.e. the one used to login to Windows). The authentication schemes accepted are typically Negotiate, Kerberos and NTLM. Basic is NOT permitted. The standard Java HttpURLConnection does manage to negotiate these proxies.

          People

          • Assignee:
            Unassigned
            Reporter:
            Pavel Bucek
          • Votes:
            7 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated: