Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / May 2004

Tip: Looking for answers? Try searching our database.

HTTP tunneling through proxy server

Thread view: 
Enable EMail AlertsStart New Thread
Alex Molochnikov - 09 May 2004 16:47 GMT
Hello everyone,

I first posted this on comp.lang.java.programmer but to no avail.

Our program connects to the License Generator (the Java-based server running
on our website host) via URLConnection like this:

String _url = "http://gestalt.com/license/";
URL url = new URL(_url);
URLConnection connection = url.openConnection();
connection.setUseCaches(false);
connection.setDoOutput(true);

At the server end, Apache server receives the HTTP request and redirects it
to the License Generator which then responds with the appropriate content.

It always worked, but recently someone complained that the connection,
originating from his laptop, cannot go through the proxy server that his
laptop connects to. Unfortunately, I could not get any detail on this
incident, but it left me wondering: what could possibly go wrong with the
connection?

Should I have used HttpURLConnection class instead? And, for this matter,
when would one use HttpURLConnection over URLConnection ?

TIA

Alex Molochnikov
Gestalt Corporation
www.gestalt.com
Reply to this Message
Murray - 09 May 2004 17:31 GMT
> It always worked, but recently someone complained that the connection,
> originating from his laptop, cannot go through the proxy server that his
[quoted text clipped - 6 lines]
>
> TIA

You are already using HttpURLConnection since URL.openConnection returns one
if it's a HTTP request.

Unless the user's proxy is a transparent proxy, they or your code will need
to supply the proxy server details.

When starting the program, they can add two parameters to the command line
e.g.
       java java -Dhttp.proxyHost=proxyhost -Dhttp.proxyPort=portNumber
YourProgram

portNumber is optional and defaults to 80.

Or in your program you can do

   System.setProperty( "proxySet", "true" );
   System.setProperty( "http.proxyHost", "????" );
   System.setProperty( "http.proxyPort", "????" );

before you open a connection
Reply to this Message
Roedy Green - 09 May 2004 21:45 GMT
>    System.setProperty( "proxySet", "true" );
>    System.setProperty( "http.proxyHost", "????" );
>    System.setProperty( "http.proxyPort", "????" );

When you do this, what actually happens at the HTTP packet header
level?  Does it set up the socket to the proxy and add some headers
saying what the true destination is?

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
nobody - 10 May 2004 00:42 GMT
>>   System.setProperty( "proxySet", "true" );
>>   System.setProperty( "http.proxyHost", "????" );
[quoted text clipped - 5 lines]
>
> --

Generally speaking, yes; instead of connecting directly to i.e.
"server.com" and doing:

GET /index.html

the connection is made to the proxy server (i.e. "proxy.com") and does:

GET http://server.com/index.html

which tells the proxy server to make the real connection and retrieve
the content.  This is often used in a corporate setting (where the proxy
server is the only way out of the intranet).

One other thing relevant to this discussion would be proxies requiring
authentication; this is done in a fashion very similar to normal HTTP
auth, but instead of using "WWW-Authenticate" and "Authorization", the
authentication handshake uses "Proxy-Authenticate" and
"Proxy-Authorization".  The java.net.Authenticator class is used to
obtain the proxy credentials for the connection.

JDK 1.4.2 introduced support for the NTLM authentication protocol on
Windows platforms, which is a proprietary Microsoft authentication
scheme (often used in corporate settings for Windows domain-based
authentication with IIS, and proxy authentication with ISA proxy
servers).  You typically need to additionally set the
"http.auth.ntlm.domain" property to specify the domain in which the
account resides.  See:

http://java.sun.com/j2se/1.4.2/docs/guide/net/properties.html#ntlm

The jCIFS library (http://jcifs.samba.org) provides this functionality
to Unix clients as well; it also has an NTLM filter which allows your
servlets to authenticate using NTLM (acting as the server side of NTLM).
NTLM authentication is used throughout Windows network implementations,
including connections to shared drives (which the jCIFS library also
provides).
Reply to this Message
Roedy Green - 10 May 2004 01:36 GMT
>which tells the proxy server to make the real connection and retrieve
>the content.  This is often used in a corporate setting (where the proxy
>server is the only way out of the intranet).

I understand that part.  See http://mindprod.com/jgloss/proxy.html

What I don't yet know is how does the proxy know the real address to
relay the request to?  Is there some http header or some other
protocol?

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Rogan Dawes - 10 May 2004 11:55 GMT
>>which tells the proxy server to make the real connection and retrieve
>>the content.  This is often used in a corporate setting (where the proxy
[quoted text clipped - 5 lines]
> relay the request to?  Is there some http header or some other
> protocol?

The proxy does a lookup of the requested hostname, and connects to it,
exactly as your browser does for non-proxied requests.

The proxy server receives:

GET http://my.proxied.host/path/file HTTP/1.0
Host: my.proxied.host
Cookie: whatever
Other: headers

It then looks up the address of "my.proxied.host", and makes a
connection to it, and sends:

GET /path/file HTTP/1.0
Host: my.proxied.host
Cookie: whatever
Other: headers

And returns the response to the client browser (and does some handling
to cache the content, close persistent connections, etc as required)

Regards,

Rogan
Signature

Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"

Reply to this Message
Roedy Green - 10 May 2004 02:22 GMT
>One other thing relevant to this discussion would be proxies requiring
>authentication; this is done in a fashion very similar to normal HTTP
[quoted text clipped - 19 lines]
>including connections to shared drives (which the jCIFS library also
>provides).

I have added your explanation for posterity to
http://mindprod.com/jgloss/proxy.html

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Alex Molochnikov - 10 May 2004 17:29 GMT
My heartful thanks to everyone who responded to my inquiry.

We are going to implement an automatic update feature in our Report
Generator that will check with our server and install new .jar files when
they become available (somewhat similat to how Eclipse updates itself). The
Report Generator may run behind the proxy server, but unfortunately our own
environment uses a Linux-based firewall, rather than a proxy server, so we
cannot test the updating mechanism.

I am going to write a very simplistic client that will ask the user to set
the proxy server host name and then download an ASCII test file from our
update manager.

Would anyone with a proxy server be able to assist me in testing the client?

Thank you again for your help.

Alex Molochnikov
Gestalt Corporation
www.gestalt.com

> > It always worked, but recently someone complained that the connection,
> > originating from his laptop, cannot go through the proxy server that his
[quoted text clipped - 27 lines]
>
> before you open a connection
Reply to this Message
Roedy Green - 09 May 2004 21:24 GMT
>Should I have used HttpURLConnection class instead? And, for this matter,
>when would one use HttpURLConnection over URLConnection ?

you did. It just you did not exploit all its methods.

you could have written

HttpConnection connection = (HttpConnection) url.openConnection();

I suggest using a sniffer to find out what DOES get through and look
also at what you are sending. That may give you a clue why it does not
like you.

see http://mindprod.com/jgloss/sniffer.html

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.