Home > Archive > Java Security > May 2004 > HTTP tunneling through proxy server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
HTTP tunneling through proxy server
|
|
| Alex Molochnikov 2004-05-12, 7:55 pm |
| Hello everyone,
I first posted this on comp.lang.java.programmer but to no avail.
Our program connects to the License Generator (the Java-based server running
on our website host) via URLConnection like this:
String _url = "http://gestalt.com/license/";
URL url = new URL(_url);
URLConnection connection = url.openConnection();
connection.setUseCaches(false);
connection.setDoOutput(true);
At the server end, apache server receives the HTTP request and redirects it
to the License Generator which then responds with the appropriate content.
It always worked, but recently someone complained that the connection,
originating from his laptop, cannot go through the proxy server that his
laptop connects to. Unfortunately, I could not get any detail on this
incident, but it left me wondering: what could possibly go wrong with the
connection?
Should I have used HttpURLConnection class instead? And, for this matter,
when would one use HttpURLConnection over URLConnection ?
TIA
Alex Molochnikov
Gestalt Corporation
www.gestalt.com
| |
| Murray 2004-05-12, 7:55 pm |
| > It always worked, but recently someone complained that the connection,
> originating from his laptop, cannot go through the proxy server that his
> laptop connects to. Unfortunately, I could not get any detail on this
> incident, but it left me wondering: what could possibly go wrong with the
> connection?
>
> Should I have used HttpURLConnection class instead? And, for this matter,
> when would one use HttpURLConnection over URLConnection ?
>
> TIA
You are already using HttpURLConnection since URL.openConnection returns one
if it's a HTTP request.
Unless the user's proxy is a transparent proxy, they or your code will need
to supply the proxy server details.
When starting the program, they can add two parameters to the command line
e.g.
java java -Dhttp.proxyHost=proxyhost -Dhttp.proxyPort=portNumber
YourProgram
portNumber is optional and defaults to 80.
Or in your program you can do
System.setProperty( "proxySet", "true" );
System.setProperty( "http.proxyHost", "????" );
System.setProperty( "http.proxyPort", "????" );
before you open a connection
| |
| Roedy Green 2004-05-12, 7:55 pm |
| On Sun, 09 May 2004 15:47:39 GMT, "Alex Molochnikov"
<NOBODY@NOSPAM.COM> wrote or quoted :
>
>Should I have used HttpURLConnection class instead? And, for this matter,
>when would one use HttpURLConnection over URLConnection ?
you did. It just you did not exploit all its methods.
you could have written
HttpConnection connection = (HttpConnection) url.openConnection();
I suggest using a sniffer to find out what DOES get through and look
also at what you are sending. That may give you a clue why it does not
like you.
see http://mindprod.com/jgloss/sniffer.html
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Roedy Green 2004-05-12, 7:55 pm |
| On Mon, 10 May 2004 02:31:42 +1000, "Murray"
<parps@SPAMoffSPAMMER.optusSP4Mnet.com.au> wrote or quoted :
>
> System.setProperty( "proxySet", "true" );
> System.setProperty( "http.proxyHost", "????" );
> System.setProperty( "http.proxyPort", "????" );
When you do this, what actually happens at the HTTP packet header
level? Does it set up the socket to the proxy and add some headers
saying what the true destination is?
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| nobody 2004-05-12, 7:55 pm |
|
>
>
>
> When you do this, what actually happens at the HTTP packet header
> level? Does it set up the socket to the proxy and add some headers
> saying what the true destination is?
>
> --
Generally speaking, yes; instead of connecting directly to i.e.
"server.com" and doing:
GET /index.html
the connection is made to the proxy server (i.e. "proxy.com") and does:
GET http://server.com/index.html
which tells the proxy server to make the real connection and retrieve
the content. This is often used in a corporate setting (where the proxy
server is the only way out of the intranet).
One other thing relevant to this discussion would be proxies requiring
authentication; this is done in a fashion very similar to normal HTTP
auth, but instead of using "WWW-Authenticate" and "Authorization", the
authentication handshake uses "Proxy-Authenticate" and
"Proxy-Authorization". The java.net.Authenticator class is used to
obtain the proxy credentials for the connection.
JDK 1.4.2 introduced support for the NTLM authentication protocol on
Windows platforms, which is a proprietary Microsoft authentication
scheme (often used in corporate settings for Windows domain-based
authentication with IIS, and proxy authentication with ISA proxy
servers). You typically need to additionally set the
"http.auth.ntlm.domain" property to specify the domain in which the
account resides. See:
http://java.sun.com/j2se/1.4.2/docs...rties.html#ntlm
The jCIFS library (http://jcifs.samba.org) provides this functionality
to Unix clients as well; it also has an NTLM filter which allows your
servlets to authenticate using NTLM (acting as the server side of NTLM).
NTLM authentication is used throughout Windows network implementations,
including connections to shared drives (which the jCIFS library also
provides).
| |
| Roedy Green 2004-05-12, 7:55 pm |
| On Sun, 09 May 2004 23:42:58 GMT, nobody <nobody@example.com> wrote or
quoted :
>which tells the proxy server to make the real connection and retrieve
>the content. This is often used in a corporate setting (where the proxy
>server is the only way out of the intranet).
I understand that part. See http://mindprod.com/jgloss/proxy.html
What I don't yet know is how does the proxy know the real address to
relay the request to? Is there some http header or some other
protocol?
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Roedy Green 2004-05-12, 7:55 pm |
| On Sun, 09 May 2004 23:42:58 GMT, nobody <nobody@example.com> wrote or
quoted :
>One other thing relevant to this discussion would be proxies requiring
>authentication; this is done in a fashion very similar to normal HTTP
>auth, but instead of using "WWW-Authenticate" and "Authorization", the
>authentication handshake uses "Proxy-Authenticate" and
>"Proxy-Authorization". The java.net.Authenticator class is used to
>obtain the proxy credentials for the connection.
>
>JDK 1.4.2 introduced support for the NTLM authentication protocol on
>Windows platforms, which is a proprietary Microsoft authentication
>scheme (often used in corporate settings for Windows domain-based
>authentication with IIS, and proxy authentication with ISA proxy
>servers). You typically need to additionally set the
>"http.auth.ntlm.domain" property to specify the domain in which the
>account resides. See:
>
>http://java.sun.com/j2se/1.4.2/docs...rties.html#ntlm
>
>The jCIFS library (http://jcifs.samba.org) provides this functionality
>to Unix clients as well; it also has an NTLM filter which allows your
>servlets to authenticate using NTLM (acting as the server side of NTLM).
>NTLM authentication is used throughout Windows network implementations,
>including connections to shared drives (which the jCIFS library also
>provides).
I have added your explanation for posterity to
http://mindprod.com/jgloss/proxy.html
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Rogan Dawes 2004-05-12, 7:55 pm |
| Roedy Green wrote:
> On Sun, 09 May 2004 23:42:58 GMT, nobody <nobody@example.com> wrote or
> quoted :
>
>
>
>
> I understand that part. See http://mindprod.com/jgloss/proxy.html
>
> What I don't yet know is how does the proxy know the real address to
> relay the request to? Is there some http header or some other
> protocol?
>
The proxy does a lookup of the requested hostname, and connects to it,
exactly as your browser does for non-proxied requests.
The proxy server receives:
GET http://my.proxied.host/path/file HTTP/1.0
Host: my.proxied.host
Cookie: whatever
Other: headers
It then looks up the address of "my.proxied.host", and makes a
connection to it, and sends:
GET /path/file HTTP/1.0
Host: my.proxied.host
Cookie: whatever
Other: headers
And returns the response to the client browser (and does some handling
to cache the content, close persistent connections, etc as required)
Regards,
Rogan
--
Rogan Dawes
*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "nntp AT dawes DOT za DOT net"
| |
| Alex Molochnikov 2004-05-12, 7:55 pm |
| My heartful thanks to everyone who responded to my inquiry.
We are going to implement an automatic update feature in our Report
Generator that will check with our server and install new .jar files when
they become available (somewhat similat to how Eclipse updates itself). The
Report Generator may run behind the proxy server, but unfortunately our own
environment uses a Linux-based firewall, rather than a proxy server, so we
cannot test the updating mechanism.
I am going to write a very simplistic client that will ask the user to set
the proxy server host name and then download an ASCII test file from our
update manager.
Would anyone with a proxy server be able to assist me in testing the client?
Thank you again for your help.
Alex Molochnikov
Gestalt Corporation
www.gestalt.com
"Murray" <parps@SPAMoffSPAMMER.optusSP4Mnet.com.au> wrote in message
news:409e5cef$0$25007$afc38c87@news.optusnet.com.au...
the[color=darkred]
matter,[color=darkred]
>
> You are already using HttpURLConnection since URL.openConnection returns
one
> if it's a HTTP request.
>
> Unless the user's proxy is a transparent proxy, they or your code will
need
> to supply the proxy server details.
>
> When starting the program, they can add two parameters to the command line
> e.g.
> java java -Dhttp.proxyHost=proxyhost -Dhttp.proxyPort=portNumber
> YourProgram
>
> portNumber is optional and defaults to 80.
>
> Or in your program you can do
>
> System.setProperty( "proxySet", "true" );
> System.setProperty( "http.proxyHost", "????" );
> System.setProperty( "http.proxyPort", "????" );
>
> before you open a connection
>
>
>
|
|
|
|
|