Bug 62312 - Add Proxy Authentication support to websocket client
Summary: Add Proxy Authentication support to websocket client
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: WebSocket (show other bugs)
Version: 9.0.7
Hardware: PC All
: P2 enhancement with 5 votes (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 59758 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-04-18 15:01 UTC by Joe Mokos
Modified: 2022-09-09 09:55 UTC (History)
1 user (show)



Attachments
Patch to provide proxy authentication to websocket client (14.20 KB, patch)
2018-04-18 15:01 UTC, Joe Mokos
Details | Diff
Change for proxy authentication with updated scheme selection algorithm (26.74 KB, patch)
2018-04-20 18:26 UTC, Joe Mokos
Details | Diff
Git diffs for proxy authentication support (24.05 KB, text/plain)
2018-06-22 17:12 UTC, Joe Mokos
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Mokos 2018-04-18 15:01:19 UTC
Created attachment 35880 [details]
Patch to provide proxy authentication to websocket client

The attached patch provides proxy authentication support to the websocket client via the ClientEndpointConfig.
Comment 1 Joe Mokos 2018-04-20 18:26:44 UTC
Created attachment 35887 [details]
Change for proxy authentication with updated scheme selection algorithm

This attachment supersedes all previous attachments
Comment 2 Joe Mokos 2018-04-20 18:27:33 UTC
I've uploaded a 2nd patch file generated from git that supersedes the 1st patch file.  This patch file contains the following changes:

1.  The original algorithm used to choose the proxy authentication scheme always chose the first Proxy-Authenticate header returned on the 407 response.  Of course the first proxy I tried this on supported NTLM.  So "invalid authentication scheme"  was logged and authorization failed.  I changed the algorithm to choose the first Proxy-Authenticate header that contained a scheme supported by the websocket client, ie Digest or Basic.

2.  The algorithm used to choose the WWW authenticate scheme had the same problem as the proxy authenticate scheme so the same change was applied there.

3.  The variable arguments supplied to getString were not being appended to the base message.  For instance, the exception messages for an unsupported auth scheme rendered as "wsWebSocketContainer.unsupportedProxyAuthScheme" rather than "wsWebSocketContainer.unsupportedProxyAuthScheme 407 NTLM".  {n} tokens were added to first argument of getSTring to support the appropriate number of variable arguments.
Comment 3 Mark Thomas 2018-04-24 12:38:24 UTC
Please provide a diff against trunk rather than a sequence of patch files.

Please remove all the getString {n} changes from the proposed diff. Substitution is correctly handled by Tomcat's StringManager implementation.

The patch is not using the StringManager correctly. New strings need to be defined in LocalStrings.properties

Please add ALv2 headers (as per the Tomcat source files) to all new files.

Please remove all @author tags.

Please document the new properties in web-socket-howto.xml
Comment 4 Joe Mokos 2018-06-22 17:12:50 UTC
Created attachment 35984 [details]
Git diffs for proxy authentication support

git diff of trunk w/proxy auth changes vs trunk
Comment 5 Joe Mokos 2018-06-22 17:14:36 UTC
I've made the changes you outlined in your previous comments.  

The diff file also contains changes to do realm validation.

Let me know if additional info is needed.
Comment 6 Joe Mokos 2018-06-22 17:16:08 UTC
I've made the changes you outlined in your previous comments.  

The diff file is against the trunk as of 6/22/2018.  It also contains changes to do realm validation.

Let me know if additional info is needed.
Comment 7 radhika.jaju@veritas.com 2022-09-06 14:29:00 UTC
Is this available in any released version?
Comment 8 Mark Thomas 2022-09-06 14:45:44 UTC
(In reply to radhika.jaju@veritas.com from comment #7)
> Is this available in any released version?

No.
Comment 9 radhika.jaju@veritas.com 2022-09-07 08:02:05 UTC
We need the proxy basic authentication support for websocket connection as we are using the tomcat websocket client library.
Any possibility of this getting it bundled with the 9.0.x version of Tomcat?
Comment 10 Mark Thomas 2022-09-08 08:32:39 UTC
*** Bug 59758 has been marked as a duplicate of this bug. ***
Comment 11 Mark Thomas 2022-09-08 08:33:07 UTC
I'm looking at this now.
Comment 12 Mark Thomas 2022-09-09 09:38:43 UTC
Fixed in:
- 10.1.x for 10.1.0-M18 onwards
- 10.0.x for 10.0.24 onwards
-  9.0.x for  9.0.66 onwards
-  8.5.x for  8.5.83 onwards

Many thanks to Joe Mokos for the original patch. While there was a lot of refactoring in the final set of commits, the underlying fix is exactly as proposed in the original patch.
Comment 13 radhika.jaju@veritas.com 2022-09-09 09:43:50 UTC
Wow, Thanks so much for quick resolution..
Comment 14 Mark Thomas 2022-09-09 09:52:24 UTC
It was only so quick due to the great work already done by Joe Mokos.
Comment 15 radhika.jaju@veritas.com 2022-09-09 09:55:23 UTC
Thanks Joe Mokos and Mark Thomas. Really appreciate it.