axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject BUG: Axis + Java Web Start + Authenticating Proxies
Date Wed, 02 Apr 2003 16:17:14 GMT
Using Java Web Start and Axis together is a great idea.  But there is a design flaw that prevents
using the combination in professional-quality internet-aware applications.  Any solutions
or workarounds would be greatly welcome.


1) Problem occurs only when working with a proxy, and when the proxy requires username/password
authentication.  Things work fine in all other situations.

2) I am aware that Axis obtains proxy host and port information from the system properties
http.proxyHost and http.proxyPort.  Not a problem, since Java Web Start uses proxyHost and
proxyPort and it is a simple matter to copy the values.

3) Java Web Start brings up a proxy login dialog box before the application starts up (since
it needs to check/retrieve the latest version of the code).  It assumes that the application
will rely on HttpURLConnection and therefore inherit the DefaultAuthenticator (from Java Web

4) Java Web Start provides no mechanism to extract the username and password from the initial
proxy login.  Sun appears to want things to remain this way.  Therefore using Call.setUsername()
and Call.setPassword does not really help.

5) It is possible to call Authenticator.requestPasswordAuthentication() to bring up a popup
login for the proxy username and password.

The problem is that we can justify to the user the application login as a business necessity,
and the initial proxy login as Sun's unfriendly and lame implementation of Java Web Start,
but it is impossible to justify a second proxy login.

We have found a temporary workaround by (a) Using a raw socket (not an HttpURLConnection in
order to bypass Java Web Start) to query the proxy for its proxy prompt, and (b) Supplying
the host, port and prompt to requestPasswordAuthentication().  If the values match the ones
used by the initial proxy login, a second login screen is not displayed but the PasswordAuthentication
object is returned with the username and password.  Unfortunately, Sun considers this behavior
a security bug and plans to block it in the upcoming JRE 1.4.2.

Note, this problem also happens when using the older Apache SOAP.

Can someone suggest a solution to this problem?


View raw message