Bug 62312 - Add Proxy Authentication support to websocket client
Summary: Add Proxy Authentication support to websocket client
Status: NEW
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: WebSocket (show other bugs)
Version: 9.0.7
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-18 15:01 UTC by Joe Mokos
Modified: 2018-06-22 17:16 UTC (History)
0 users


Attachments
Patch to provide proxy authentication to websocket client (14.20 KB, patch)
2018-04-18 15:01 UTC, Joe Mokos 		Details | Diff
Change for proxy authentication with updated scheme selection algorithm (26.74 KB, patch)
2018-04-20 18:26 UTC, Joe Mokos 		Details | Diff
Git diffs for proxy authentication support (24.05 KB, text/plain)
2018-06-22 17:12 UTC, Joe Mokos 		Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Mokos 2018-04-18 15:01:19 UTC 
Created attachment 35880 [details]
Patch to provide proxy authentication to websocket client

The attached patch provides proxy authentication support to the websocket client via the ClientEndpointConfig.
Comment 1 Joe Mokos 2018-04-20 18:26:44 UTC 
Created attachment 35887 [details]
Change for proxy authentication with updated scheme selection algorithm

This attachment supersedes all previous attachments
Comment 2 Joe Mokos 2018-04-20 18:27:33 UTC 
I've uploaded a 2nd patch file generated from git that supersedes the 1st patch file.  This patch file contains the following changes:

1.  The original algorithm used to choose the proxy authentication scheme always chose the first Proxy-Authenticate header returned on the 407 response.  Of course the first proxy I tried this on supported NTLM.  So "invalid authentication scheme"  was logged and authorization failed.  I changed the algorithm to choose the first Proxy-Authenticate header that contained a scheme supported by the websocket client, ie Digest or Basic.

2.  The algorithm used to choose the WWW authenticate scheme had the same problem as the proxy authenticate scheme so the same change was applied there.

3.  The variable arguments supplied to getString were not being appended to the base message.  For instance, the exception messages for an unsupported auth scheme rendered as "wsWebSocketContainer.unsupportedProxyAuthScheme" rather than "wsWebSocketContainer.unsupportedProxyAuthScheme 407 NTLM".  {n} tokens were added to first argument of getSTring to support the appropriate number of variable arguments.
Comment 3 Mark Thomas 2018-04-24 12:38:24 UTC 
Please provide a diff against trunk rather than a sequence of patch files.

Please remove all the getString {n} changes from the proposed diff. Substitution is correctly handled by Tomcat's StringManager implementation.

The patch is not using the StringManager correctly. New strings need to be defined in LocalStrings.properties

Please add ALv2 headers (as per the Tomcat source files) to all new files.

Please remove all @author tags.

Please document the new properties in web-socket-howto.xml
Comment 4 Joe Mokos 2018-06-22 17:12:50 UTC 
Created attachment 35984 [details]
Git diffs for proxy authentication support

git diff of trunk w/proxy auth changes vs trunk
Comment 5 Joe Mokos 2018-06-22 17:14:36 UTC 
I've made the changes you outlined in your previous comments.  

The diff file also contains changes to do realm validation.

Let me know if additional info is needed.
Comment 6 Joe Mokos 2018-06-22 17:16:08 UTC 
I've made the changes you outlined in your previous comments.  

The diff file is against the trunk as of 6/22/2018.  It also contains changes to do realm validation.

Let me know if additional info is needed.