Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-65287

Support tool plugin doesn't support proxy authentication

XMLWordPrintable

      Summary

      Support tool plugin doesn't support proxy authentication

      Environment

      • STP version 3.10.6, other older versions were not tested
      • Java 8u111+

      Steps to Reproduce

      1. Configure JIRA with proxy auth, eg:
        -Dhttp.proxyUser=test -Dhttp.proxyPassword=ping -Dhttp.proxyHost=172.16.47.128 -Dhttp.proxyPort=8080
        
      1. Go to Log analyzer page, [ Administration > System > Support Tools ]

      Expected Results

      STP is able authenticate at proxy and download xml from confluence.atlassian.com
      (Specific URL: https://confluence.atlassian.com/download/attachments/179443532/jira_regex_v2.xml)

      Actual Results

      • STP is not able authenticate at proxy.
      • You will get following error at UI:

        Error: We couldn't run the log analyzer. There was a problem running the log analyze. You could try again by clicking Scan
      • If you enable INFO logging for com.atlassian.support classes (see JRASERVER-65278) you will get:
        2017-05-11 09:53:12,200 hercules INFO admin 591x13519x2 aa 1.0.0.0 /plugins/servlet/stp/view/hercules/execute [c.a.s.tools.hercules.LogScanTask] Scan failed:
        java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
                at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124)
                at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
                at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
                at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
                at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
                at com.atlassian.sisyphus.RemoteXmlPatternSource.reload(RemoteXmlPatternSource.java:77)
                at com.atlassian.sisyphus.RemoteXmlPatternSource.<init>(RemoteXmlPatternSource.java:68)
                at com.atlassian.support.tools.salext.AbstractSupportApplicationInfo.getPatternSourceByURL(AbstractSupportApplicationInfo.java:263)
                at com.atlassian.support.tools.salext.JiraApplicationInfo.getPatternSource(JiraApplicationInfo.java:151)
                at com.atlassian.support.tools.hercules.LogScanTask.call(LogScanTask.java:52)
                at com.atlassian.support.tools.hercules.LogScanTask.call(LogScanTask.java:24)
                at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
                at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
                at java.lang.Thread.run(Thread.java:745)
        

      Notes

      RemoteXmlPatternSource method uses HttpURLConnection method, which doesn't allow Proxy auth for Basic Auth by default.

      JIRA will send following request to proxy:

      CONNECT confluence.atlassian.com:443 HTTP/1.1
      User-Agent: Java/1.8.0_92
      Host: confluence.atlassian.com
      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
      Proxy-Connection: keep-alive
      

      Expected request:

      CONNECT confluence.atlassian.com:443 HTTP/1.1
      Host: confluence.atlassian.com:443
      User-Agent: Java/1.8.0_92
      Proxy-Connection: Keep-Alive
      Proxy-Authorization: Basic dGVzdDp0ZXN0
      

      Note Proxy-Authorization header.

      Caused by

      Changes in Java 8u111:
      from: http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
      Disable Basic authentication for HTTPS tunneling:

      In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime .. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

      Fix: Add to Java environment:

      -Djdk.http.auth.tunneling.disabledSchemes=
      

      See related KB: Basic authentication fails for outgoing proxy in Java 8u111

      Workaround

      None

        1. log-analyzer_error.png
          151 kB
          Andriy Yakovlev [Atlassian]

              Unassigned Unassigned
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: