Java Web Start: Unable to tunnel through proxy since Java 8 Update 111

Asked 23/1, 2017 at 12:29 Answered 8/2, 2023 at 20:53

Solved java https proxy java-web-start tunneling

Some of our customers cannot run our Java Web Start client anymore since Java 8 Update 111. They get:

java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required

Looks like it has to do with this change:

Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

Is there any way if customers are not willing to change their proxy authentication method?

Note: Adding <property name="jdk.http.auth.tunneling.disabledSchemes" value=""/> to <resources> of the JNLP has no effect. This is because only a few properties are supported this way (there is a list near the bottom of this page). "jdk.http.auth.tunneling.disabledSchemes" is not among them.

Kop answered 23/1, 2017 at 12:29 Comment(2)

Were you able to verify, that property is generall working? This SO answer may help: https://mcmap.net/q/152284/-enabling-jvm-options-with-java-web-start-jnlp – Cowes 23/1, 2017 at 12:44

No, it's the first time I am trying to use a property tag. However java-vm-args does not seem to apply here, as there are only a few arguments supported this was. Here is a list: docs.oracle.com/javase/8/docs/technotes/guides/javaws/… However, now I see there is also such a list for the property tag. Hm. So there is no possible way to enable basic auth proxy tunneling in Java Web Start? – Kop 23/1, 2017 at 13:0

I found out that there is one way, but not in the hands of the developer: The user can add

-Djdk.http.auth.tunneling.disabledSchemes=""

for Java 8 in Java Control Panel → Java → View... → Runtime Parameters

for Java 9 in Java Control Panel → Desktop Settings → Runtime Parameters

Kop answered 3/2, 2017 at 8:29 Comment(0)

Beside the answer of mbee one can also configure this in the net.properties file of the jre:

C:\Program Files (x86)\Java\jre1.8.0_131\lib\net.properties

Currently last line 100 need to be commented out:

Before:

 #jdk.http.auth.proxying.disabledSchemes=
 jdk.http.auth.tunneling.disabledSchemes=Basic

After:

 #jdk.http.auth.proxying.disabledSchemes=
 #jdk.http.auth.tunneling.disabledSchemes=Basic

Note that both answers need to be repeated after a Java Update, although the Java Auto Update is deactivated with Basic Internet Proxy Authentication.

Legwork answered 21/4, 2017 at 14:45 Comment(0)

If you require to do this at runtime you can set the value of the jdk.http.auth.proxying.disabledSchemes property by adding

System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");

to the main method of your application.

Dowse answered 9/5, 2017 at 18:17 Comment(3)

Are you sure you can change such security settings at runtime? I mean: Did you check if this has an effect? – Kop 10/5, 2017 at 7:34

Yes you can. I've just been struggeling with that problem a few days ago and found this thread which solved the problem I had. I closed up setting the property in the main method which works fine for me. – Dowse 11/5, 2017 at 13:17

sounds like a security bug – Legwork 22/2, 2018 at 10:8

I had this issue too while trying to access an external SOAP Webservice trough a Proxy-Server using BASIC-Authentification for an application running on Apache Tomcat.

Setting the property programmatically (System.setProperty("jdk.http.auth.tunneling.disabledSchemes", "");) during application initialization did not work. It had to be set as VM-Argument or (not very nice way of course :)) in [JRE_HOME]\lib\net.properties.

Syllabub answered 28/6, 2018 at 16:31 Comment(1)

Setting such a property programmatically DOES work, but you have to be sure that the initialization is done before the first network connection is made. Some libraries do network connections during initialization, e.g. you logging framework could set up logging via UDP, or a library could "helpfully" check for updates, or something like that. – Citron 23/11, 2018 at 5:53

I enabled the below feature in net.properties and it worked without any other changes:

java.net.useSystemProxies=true (this was false earlier)

Fibrin answered 8/2, 2023 at 20:53 Comment(0)

Recommended topics

Hot tags