Name: gm110360 Date: 03/22/2002


FULL PRODUCT VERSION :
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)

FULL OPERATING SYSTEM VERSION :
Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer 6.0

A DESCRIPTION OF THE PROBLEM :
It is usually desirable when one has a password protected
website to keep the jar or class files for applets in the
password protected area so those without access can't
obtain them and/or analyze them. This used to work just
fine for me. The user would log on to the site and the
applets would all load with no problem. The newest version
of the plug-in (included with jre 1.4.0) now asks the user
to re-authenticate with the server. This plainly sucks.
Furthermore is not expected or desirable, so therefore I
call it a bug. I have a website that uses Swing applets,
and part of the design spec was that users only have to
authenticate once. My guess of what is going on is that
the web browser used to download the class files but now
the plug-in does. My suggestion to you guys is either
change it back or find a way to obtain the credentials
from the web browser.

Basic authentication is a standard authentication method
and should therefore be fully supported.

REGRESSION. Last worked in version 1.3.1

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Place an html file invoking the java plug-in and the
associated class or jar files on a webserver, all in an
area that requires basic authentication to access from the
web.

Access the page, and you will be prompted once by the web
browser for authentication and again by the plug-in.

EXPECTED VERSUS ACTUAL BEHAVIOR :
One expects to only need to log on to a website once per
session, but if the site uses the java plug-in and basic
authentication that is not the case.

This bug can be reproduced always.

CUSTOMER WORKAROUND :
Use earlier version of the plug-in.

If the page is generated dynamically by the server you
could try to contruct a URL pointing to the source code in
the applet invocation with the user's username and
password; i.e. in this
form "http://<username><password>@<servername><path to jar
file>". but I haven't tested this.

You can also use a different method of authentication that
is truly session-based.
(Review ID: 143637)
======================================================================

Name: gm110360 Date: 03/22/2002


FULL PRODUCT VERSION :
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)
----------
Java(TM) Plug-in: Version 1.4.0
Using JRE version 1.4.0 Java HotSpot(TM) Client VM
  User home directory = C:\Documents and Settings\joen

Proxy Configuration: No proxy


FULL OPERATING SYSTEM VERSION :
Microsoft Windows 2000 [Version 5.00.2195]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Netscape 6.2.1 and Internet Explorer 5.5

A DESCRIPTION OF THE PROBLEM :
Our site is protected by https and basic authentication.
When our applet is started the login from the browser is not
remembered and the user has to login again. The behaivoir is
new for 1.4. This is totally unacceptable for our users and
makes the new version unusable.

The applet that we are using is cached and signed.

REGRESSION. Last worked in version 1.3

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Login on a site protected by basic authentication and https
2. Start a cached signed applet from the site
3. Watch the login dialog that appears

EXPECTED VERSUS ACTUAL BEHAVIOR :
We would expect the javaplugin to use the login that has
already been entered in the browser.

This bug can be reproduced always.

CUSTOMER WORKAROUND :
None that I have found, this is a showstopper!
(Review ID: 144346)
======================================================================