Summary

Support tool plugin doesn't support proxy authentication

Environment

• STP version 3.10.6, other older versions were not tested
• Java 8u111+

Steps to Reproduce

1. Configure JIRA with proxy auth, eg:

   -Dhttp.proxyUser=test -Dhttp.proxyPassword=ping -Dhttp.proxyHost=172.16.47.128 -Dhttp.proxyPort=8080
   

1. Go to Log analyzer page, [ Administration > System > Support Tools ]

Expected Results

STP is able authenticate at proxy and download xml from confluence.atlassian.com
(Specific URL: https://confluence.atlassian.com/download/attachments/179443532/jira_regex_v2.xml)

Actual Results

• STP is not able authenticate at proxy.
• You will get following error at UI:
  
  Error: We couldn't run the log analyzer. There was a problem running the log analyze. You could try again by clicking Scan

• If you enable INFO logging for com.atlassian.support classes (see JRASERVER-65278) you will get:

  2017-05-11 09:53:12,200 hercules INFO admin 591x13519x2 aa 1.0.0.0 /plugins/servlet/stp/view/hercules/execute [c.a.s.tools.hercules.LogScanTask] Scan failed:
  java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
          at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124)
          at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
          at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
          at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
          at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
          at com.atlassian.sisyphus.RemoteXmlPatternSource.reload(RemoteXmlPatternSource.java:77)
          at com.atlassian.sisyphus.RemoteXmlPatternSource.<init>(RemoteXmlPatternSource.java:68)
          at com.atlassian.support.tools.salext.AbstractSupportApplicationInfo.getPatternSourceByURL(AbstractSupportApplicationInfo.java:263)
          at com.atlassian.support.tools.salext.JiraApplicationInfo.getPatternSource(JiraApplicationInfo.java:151)
          at com.atlassian.support.tools.hercules.LogScanTask.call(LogScanTask.java:52)
          at com.atlassian.support.tools.hercules.LogScanTask.call(LogScanTask.java:24)
          at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
          at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
          at java.lang.Thread.run(Thread.java:745)
  

Notes

RemoteXmlPatternSource method uses HttpURLConnection method, which doesn't allow Proxy auth for Basic Auth by default.

JIRA will send following request to proxy:

CONNECT confluence.atlassian.com:443 HTTP/1.1
User-Agent: Java/1.8.0_92
Host: confluence.atlassian.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive

Expected request:

CONNECT confluence.atlassian.com:443 HTTP/1.1
Host: confluence.atlassian.com:443
User-Agent: Java/1.8.0_92
Proxy-Connection: Keep-Alive
Proxy-Authorization: Basic dGVzdDp0ZXN0

Note Proxy-Authorization header.

Caused by

Changes in Java 8u111:
from: http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
Disable Basic authentication for HTTPS tunneling:

In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime .. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

Fix: Add to Java environment:

-Djdk.http.auth.tunneling.disabledSchemes=

See related KB: Basic authentication fails for outgoing proxy in Java 8u111

Workaround

None