Proxy authentication is not working

[shoblingr]

Apache NetBeans version

Apache NetBeans 13

What happened

The proxy is configured in the config panel, with user and password specified. But for the test we get message "407 Proxy Ahtentication Required".
Connection is not working, eg. fetching plugins is ko.
See attached image for detail.

How to reproduce

configure proxy and click test...

Did this work correctly in an earlier version?

Apache NetBeans 12.3 or earlier

Operating System

Windows 10

JDK

jdk-11.0.8+10

Apache NetBeans packaging

Apache NetBeans binary zip

Anything else

No response

Are you willing to submit a pull request?

No

Code of Conduct

Yes

[matthiasblaesing]

Please provide the message.log file. On windows it can be found in the directory C:\Users\$USERNAME\AppData\Roaming\NetBeans\$VERSION\var\log\messages.log.

[shoblingr]

Hi,

Here it is
messages.log
.

[vieiro]

Hi @shoblingr ,
You're getting an HTTP 407 "Proxy Authentication Required" (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407)

• Click the "More..." button at the right of the "Manual Proxy Settings".
• The "Advanced Proxy Options" dialog appears
• Check the "Proxy Requires Explicit Authentication"
• Enter the username and password that you need for that proxy.

[shoblingr]

Hi,
Thanks @vieiro for your advice, unfortunately this is already done, chek my screnshots in the first post, but it is not working...
Stef

[vieiro]

Ah, very true, I didn't notice you were already setting user/password.
What kind of proxy authentication are you using, @shoblingr ? Is it basic, NTLM or what?

[shoblingr]

Hi, it basic authentication (Proxy-Authenticate: BASIC realm="Auth_LDAP"). I did some tests using jmeter to pass through the proxy. Using java sampler implementation, I have the same behavior than netbeans :
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
at java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2177)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
at org.apache.jmeter.protocol.http.sampler.HTTPJavaImpl.sample(HTTPJavaImpl.java:540)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerProxy.sample(HTTPSamplerProxy.java:67)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1282)
at org.apache.jmeter.protocol.http.sampler.HTTPSamplerBase.sample(HTTPSamplerBase.java:1271)
at org.apache.jmeter.threads.JMeterThread.doSampling(JMeterThread.java:627)
at org.apache.jmeter.threads.JMeterThread.executeSamplePackage(JMeterThread.java:551)
at org.apache.jmeter.threads.JMeterThread.processSampler(JMeterThread.java:490)
at org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:257)
at java.base/java.lang.Thread.run(Thread.java:836)

But if I switch to Apache HttpClient4 implementation, the call is successful with the same proxy configuration...

[matthiasblaesing]

I'll risk a guess: Your password (or the username) contains characters outside the ASCII range. If I remember correctly Basic Auth was only defined for Latin1, but was extended to UTF-8 . Do you have the option to test with a password containing only ASCII characters?

[shoblingr]

No, password is in only standard letters and numbers... So it is ASCII only

[shoblingr]

Ok I found a solution :)
Following this article : https://stackoverflow.com/questions/41505219/unable-to-tunnel-through-proxy-proxy-returns-http-1-1-407-via-https
It seems the problem is comming from:
Change in Java 8 Update 111:
Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

To fix the issue, I added the option -Djdk.http.auth.tunneling.disabledSchemes="" to netbean conf as follow:
netbeans_default_options="-J-XX:+UseStringDeduplication -J-Xss2m -J-Djdk.http.auth.tunneling.disabledSchemes=\"\" -J-Dapple.laf.useScreenMenuBar=true (...)

Now it works great :)
Maybe this conf could be added by default in netbean distribution ?
Thanks for your help!

Stef

[neilcsmith-net]

Maybe this conf could be added by default in netbean distribution ?

Doesn't that amount to disabling a security feature of the JDK by default? In which case, probably not. Better error message maybe? Also see https://bugzilla.redhat.com/show_bug.cgi?id=1386103

[matthiasblaesing]

Maybe this conf could be added by default in netbean distribution ?

Doesn't that amount to disabling a security feature of the JDK by default? In which case, probably not. Better error message maybe? Also see https://bugzilla.redhat.com/show_bug.cgi?id=1386103

If we warn the user, it is a feature, not a CVE. If your IT department requires you to use an authenticated proxy, you probably won't have a chance to change their thinking.

The problem is, that the JDK at least partitially uses aggressive caching of the property:

https://github.com/openjdk/jdk/blob/47b1c51bbd28582d209db07052e553a76acced65/src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java#L260-L274

So if you want to make that dynamic you have to reflect into an internal module.

[mbien]

we could add a hint to the proxy settings window explaining that a flag might be required to get legacy auth behavior back.

Accessing JDK internals should only be used as last resort IMO. Ideally we should try to shrink the --add-opens list if possible (edit: link to list + readme).

[vieiro]

I created this PR for the website explaining the problem apache/netbeans-website#592
Maybe we can add a link to this page from the dialog, so users can learn about the problem (and the solution) in the future.

[shoblingr]

Hi, this is already done, please look at the screenshot I posted Regards, Stef Le ven. 11 mars 2022 à 23:03, Antonio Vieiro ***@***.***> a écrit :

…

Hi @shoblingr <https://github.com/shoblingr> , You're getting an HTTP 407 "Proxy Authentication Required" ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407) - Click the "More..." button at the right of the "Manual Proxy Settings". - Check the "Proxy Requires Explicit Authentication" - The "Advanced Proxy Options" dialog appears, enter the username and password that you need for that proxy. [image: imagen] <https://user-images.githubusercontent.com/564140/157976209-aef8c7d0-e68c-46bb-9744-f25007ee68f1.png> — Reply to this email directly, view it on GitHub <#3748 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA3VDFTQIZ6ATYPXROTOT5TU7O7KFANCNFSM5QL3XGKQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>