Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67487

JIRA doesn't handle http forward proxy authentication globally

    XMLWordPrintable

Details

    Description

      Summary

      JIRA core as a platfrom doens't handle http/https forward proxy authentication at a platform level.
      JIRA relies on built in JVM functionality to handle http/https proxy host and port to initiate the connection, but the JVM doesn't handle authentication with a forward proxy.
      The JVM leaved the implementation for authentication to the application code.
      In short, the JIRA core code should be able to handle http.proxyUser and http.proxyPassword on a global level.

      Environment

      • JIRA 7.2.15
      • Configure a forward proxy using basic proxy authentication: eg: squid or apache
      • Configure JIRA to use a forward proxy using following start up options: 
        -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=3128 -Dhttp.proxyUser=user -Dhttp.proxyPassword=pass -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=3128 -Dhttps.proxyUser=user -Dhttps.proxyPassword=pass  -Djdk.http.auth.tunneling.disabledSchemes
      • Plan to configure DVCS pluign to try to connect to github using the proxy.

      Steps to Reproduce

      1. After a freshly restarted JIRA
      2. Login to JIRA as admin
      3. Go to Applications and try to configure DVCS to connect to github

      Expected Results

      • JIRA is able to connect to github and verify the user account.

      Actual Results

      • JIRA fails to connect to github and user is faced with a connection/access error.
      • In the logs we see warnings like this: 
        2018-05-24 11:27:15,178 http-nio2-13032-exec-44 WARN admin 687x111223x1 1q8lhhh IP,IP,IP /secure/admin/AddGithubOrganization!finish.jspa [c.a.j.p.d.s.github.webwork.AddGithubOrganization] Caused by: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"

      Notes

      • You need to avoid doing any other functionality before doing the DVCS configuration to be able to see the error.
      • JIRA core doesn't initialize system wide java.net.Authenticator.setDefault(.Authenticator auth) with an Authenticator object .
        This static method could be used to populate the needed Proxy-Authorization header to allow the connection to pass through the proxy.

      Workaround

      • For the time being, a working workaround for this is to rely on lower level implementations that would set a system wide authenticator object for JIRA, a good working example for this is the JIRA Log Analyzer plugins (Hercules).
        If we access the Log Analyzer page before getting to DVCS configuration, a system wide authenticator will be initialized and will be used by any other implementation until JIRA is restarted.

      With Debug logging for HttpURLConnection enabled (see KB enable debug logging for outgoing-http-connections):

      • Non-working example: note Authentication returned: null 
        17-Jun-2018 15:22:02.833 FINEST [http-nio-8081-exec-8] sun.net.www.protocol.http.HttpURLConnection$1.run Requesting Authentication: host =172.16.47.128 url = https://api.github.com/users/atlamstest
17-Jun-2018 15:22:02.834 FINEST [http-nio-8081-exec-8] sun.net.www.protocol.http.HttpURLConnection$1.run Authentication returned: null
17-Jun-2018 15:22:02.834 FINER [http-nio-8081-exec-8] sun.net.www.protocol.http.HttpURLConnection.getHttpProxyAuthentication Proxy Authentication for AuthenticationHeader: prefer Basic realm="Password Required" returned null
      • Working example: Authentication returned: java.net.PasswordAuthentication@23fa1ec4 
        17-Jun-2018 15:26:02.039 FINEST [hercules] sun.net.www.protocol.http.HttpURLConnection$1.run Requesting Authentication: host =172.16.47.128 url = https://confluence.atlassian.com/download/attachments/179443532/jira_regex_v2.xml
17-Jun-2018 15:26:02.039 FINEST [hercules] sun.net.www.protocol.http.HttpURLConnection$1.run Authentication returned: java.net.PasswordAuthentication@23fa1ec4
17-Jun-2018 15:26:02.041 FINER [hercules] sun.net.www.protocol.http.HttpURLConnection.getHttpProxyAuthentication Proxy Authentication for AuthenticationHeader: prefer Basic realm="Password Required" returned sun.net.www.protocol.http.BasicAuthentication@6515e4a2

      There is currently no grantee that the above workaround would continue to work, other plugins can actually override this system wide authenticator using the above static method and prevent the system form working if the plugin have bad code.

      Please note that the above problem mainly affects code using java.net API eg: DVCS/Eclipse egit or Log Analyzer using the HttpUrlConnection class, Apache HttpClient uses different ways to implement proxy authentication.

      Attachments

        Issue Links

          depended on by

          Bug - A problem which impairs or prevents the functions of the product. JSWSERVER-16657 DVCS plugin is not able to connect to github.com if it runs behind a forward proxy with basic authentication enabled

          • Low - Low priority issues
          • Gathering Impact
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. JSWSERVER-14194 Github client connection is not taken outbound https proxy settings

          • Medium - Medium priority issues
          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              sabdelfattah Sherif Abdelfattah (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated: