Name: gm110360 Date: 04/03/2002
FULL PRODUCT VERSION :
java version "1.3.1_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_02-b02)
Java HotSpot(TM) Client VM (build 1.3.1_02-b02, mixed mode)
FULL OPERATING SYSTEM VERSION : Client: win NT 4.0 server
sp6a IE 5.5 SP2
ADDITIONAL OPERATING SYSTEMS : Server: AIX running
WebSphere 4.0 fix pack 2.
A DESCRIPTION OF THE PROBLEM :
I have a signed applet trying to upload a file to a
WebSphere application sever (verison 4.0 fix pack 2)
running on an AIX box. The client is IE 5.5 SP2 running on
win2k and winnt. When the application server is first
contacted, the browser prompts for an id and a password.
The applet downloads, makes a GET request to the server
which succeeds and then a POST which gets an authorization
requiered response. This causes the plugin to put up a
prompt for a user id and password. This is very annoying
since our clients are forced to authenticate twice. The
plugin should include the authorization header on all
requests. A subsequent post request from the same applet
does include the authorization header.
A similar bug (4342683) was filed which was closed as
unreproducible.
Below are the relevent portions of an ip trace report. As
you can see, the Get request contains the authorization
header but the POST request does not.
GET REQUEST:
====( 409 bytes received on interface en0 )====
17:48:33.235417458
ETHERNET packet : [ 00:50:bd:bc:68:00 ->
00:04:ac:e4:a9:f0 ] type 800 (IP)
IP header breakdown:
< SRC = 172.25.146.131 >
< DST = 172.25.148.175 > (ibm44p.billerica.esi)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=395,
ip_id=46691, ip_off=0
ip_ttl=127, ip_sum=4a4, ip_p = 6 (TCP)
TCP header breakdown:
<source port=1616, destination port=80(www) >
th_seq=813325f6, th_ack=ff88d6d6
th_off=5, flags<PUSH | ACK>
th_win=7788, th_sum=14af, th_urp=0
00000000 47455420 2f736f6e 6f72612f 696e766f
|GET /sonora/invo|
00000010 6b656170 702e6a61 72204854 54502f31
|keapp.jar HTTP/1|
00000020 2e310d0a 41636365 70743a20 2a2f2a0d
|.1..Accept: */*.|
00000030 0a416363 6570742d 456e636f 64696e67
|.Accept-Encoding|
00000040 3a20677a 69702c20 6465666c 6174650d |:
gzip, deflate.|
00000050 0a49662d 4d6f6469 66696564 2d53696e |.If-
Modified-Sin|
00000060 63653a20 5468752c 20323120 4d617220 |ce:
Thu, 21 Mar |
00000070 32303032 2031353a 32393a35 3520474d |2002
15:29:55 GM|
00000080 540d0a55 7365722d 4167656e 743a204d
|T..User-Agent: M|
00000090 6f7a696c 6c612f34 2e302028 636f6d70
|ozilla/4.0 (comp|
000000a0 61746962 6c653b20 4d534945 20352e35
|atible; MSIE 5.5|
000000b0 3b205769 6e646f77 73204e54 20342e30 |;
Windows NT 4.0|
000000c0 290d0a48 6f73743a 2069626d 3434700d
|)..Host: ibm44p.|
000000d0 0a436f6e 6e656374 696f6e3a 204b6565
|.Connection: Kee|
000000e0 702d416c 6976650d 0a436f6f 6b69653a |p-
Alive..Cookie:|
000000f0 2054656d 706c6174 65733d46 696c6573 |
Templates=Files|
00000100 746f7265 2530436f 643b204a 53455353 |tore%
0Cod; JSESS|
00000110 494f4e49 443d3030 30303346 315a5556
|IONID=00003F1ZUV|
00000120 51555742 47354c49 4d56584a 52354c32
|QUWBG5LIMVXJR5L2|
00000130 593a2d31 0d0a4175 74686f72 697a6174 |Y:-
1..Authorizat| <== Authorization header.
00000140 696f6e3a 20426173 69632055 30394f54 |ion:
Basic U09OT|
00000150 314a424f 6e426863 334e3362 334a6b0d
|1JBOnBhc3N3b3Jk.|
00000160 0a0d0a
|... |
POST REQUEST:
============================================================
====================
====( 482 bytes received on interface en0 )====
17:48:37.264003363
ETHERNET packet : [ 00:50:bd:bc:68:00 ->
00:04:ac:e4:a9:f0 ] type 800 (IP)
IP header breakdown:
< SRC = 172.25.146.131 >
< DST = 172.25.148.175 > (ibm44p.billerica.esi)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=468,
ip_id=51043, ip_off=0
ip_ttl=127, ip_sum=f35a, ip_p = 6 (TCP)
TCP header breakdown:
<source port=1623, destination port=80(www) >
th_seq=8153a90e, th_ack=e89160b9
th_off=5, flags<PUSH | ACK>
th_win=8760, th_sum=20d3, th_urp=0
00000000 504f5354 202f736f 6e6f7261 2f46696c
|POST /sonora/Fil|
00000010 6553746f 72653f6f 703d7226 69643d32
|eStore?op=r&id=2|
00000020 39266c6f 63617469 6f6e3d43 25334125
|9&location=C%3A%|
00000030 35435749 4e4e5425 35435072 6f66696c
|5CWINNT%5CProfil|
00000040 65732535 43706174 696e6f6a 2e303030 |es%
5Cpatinoj.000|
00000050 25354370 6c756769 6e313330 5f30312e |%
5Cplugin130_01.|
00000060 74787420 48545450 2f312e31 0d0a436f |txt
HTTP/1.1..Co|
00000070 6e74656e 742d5479 70653a20 6d756c74 |ntent-
Type: mult|
00000080 69706172 742f666f 726d2d64 6174612c
|ipart/form-data,|
00000090 20626f75 6e646172 793d2d2d 2d2d2d2d |
boundary=------|
000000a0 2d2d2d2d 2d2d2d2d 62316335 64343463 |------
--b1c5d44c|
000000b0 63643431 31316434 38663562 30303530
|cd4111d48f5b0050|
000000c0 30343432 61613537 0d0a436f 6e74656e
|0442aa57..Conten|
000000d0 742d4c65 6e677468 3a203738 300d0a63 |t-
Length: 780..c|
000000e0 6f6f6b69 653a2054 656d706c 61746573
|ookie: Templates|
000000f0 3d46696c 6573746f 72652530 436f643b
|=Filestore%0Cod;|
00000100 204a5345 5353494f 4e49443d 30303030 |
JSESSIONID=0000|
00000110 3346315a 55565155 57424735 4c494d56
|3F1ZUVQUWBG5LIMV|
00000120 584a5235 4c32593a 2d310d0a 55736572
|XJR5L2Y:-1..User|
00000130 2d416765 6e743a20 4a617661 312e332e |-
Agent: Java1.3.|
00000140 315f3032 0d0a486f 73743a20 69626d34
|1_02..Host: ibm4|
00000150 34700d0a 41636365 70743a20 74657874
|4p..Accept: text|
00000160 2f68746d 6c2c2069 6d616765 2f676966
|/html, image/gif|
00000170 2c20696d 6167652f 6a706567 2c202a3b |,
image/jpeg, *;|
00000180 20713d2e 322c202a 2f2a3b20 713d2e32 |
q=.2, */*; q=.2|
00000190 0d0a436f 6e6e6563 74696f6e 3a206b65
|..Connection: ke|
000001a0 65702d61 6c697665 0d0a0d0a |ep-
alive.... |
====( 834 bytes received on interface en0 )====
17:48:37.265043202
ETHERNET packet : [ 00:50:bd:bc:68:00 ->
00:04:ac:e4:a9:f0 ] type 800 (IP)
IP header breakdown:
< SRC = 172.25.146.131 >
< DST = 172.25.148.175 > (ibm44p.billerica.esi)
ip_v=4, ip_hl=20, ip_tos=0, ip_len=820,
ip_id=51299, ip_off=0
ip_ttl=127, ip_sum=f0fa, ip_p = 6 (TCP)
TCP header breakdown:
<source port=1623, destination port=80(www) >
th_seq=8153aaba, th_ack=e89160b9
th_off=5, flags<PUSH | ACK>
th_win=8760, th_sum=6a86, th_urp=0
00000000 2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d |------
----------|
00000010 62316335 64343463 63643431 31316434
|b1c5d44ccd4111d4|
00000020 38663562 30303530 30343432 61613537
|8f5b00500442aa57|
00000030 0d0a436f 6e74656e 742d4469 73706f73
|..Content-Dispos|
00000040 6974696f 6e3a2066 6f726d2d 64617461
|ition: form-data|
00000050 3b206e61 6d653d22 66696c65 31222c20 |;
name="file1", |
00000060 66696c65 6e616d65 3d22706c 7567696e
|filename="plugin|
00000070 3133305f 30312e74 7874220d 0a436f6e
|130_01.txt"..Con|
00000080 74656e74 2d547970 65207465 78742f70 |tent-
Type text/p|
00000090 6c61696e 0d0a0d0a 4a617661 28544d29
|lain....Java(TM)|
000000a0 20506c75 672d696e 3a205665 7273696f | Plug-
in: Versio|
000000b0 6e20312e 332e305f 30310a55 73696e67 |n
1.3.0_01.Using|
000000c0 204a5245 20766572 73696f6e 20312e33 | JRE
version 1.3|
000000d0 2e305f30 31204a61 76612048 6f745370 |.0_01
Java HotSp|
000000e0 6f742854 4d292043 6c69656e 7420564d |ot
(TM) Client VM|
000000f0 0a557365 7220686f 6d652064 69726563 |.User
home direc|
00000100 746f7279 203d2043 3a5c5749 4e4e545c |tory
= C:\WINNT\|
00000110 50726f66 696c6573 5c706174 696e6f6a
|Profiles\patinoj|
00000120 2e303030 0d0a5573 65722068 6173206f
|.000..User has o|
00000130 76657272 6964656e 2062726f 77736572
|verriden browser|
00000140 27732070 726f7879 20736574 74696e67 |'s
proxy setting|
00000150 732e0d0a 50726f78 7920436f 6e666967
|s...Proxy Config|
00000160 75726174 696f6e3a 206e6f20 70726f78
|uration: no prox|
00000170 790d0a0d 0a2d2d2d 2d2d2d2d 2d2d2d2d |y....-
----------|
00000180 2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d |------
----------|
********
000001a0 2d2d2d2d 2d2d2d2d 2d0a633a 20202063 |------
---.c: c|
000001b0 6c656172 20636f6e 736f6c65 2077696e |lear
console win|
000001c0 646f770a 663a2020 2066696e 616c697a
|dow.f: finaliz|
000001d0 65206f62 6a656374 73206f6e 2066696e |e
objects on fin|
000001e0 616c697a 6174696f 6e207175 6575650a
|alization queue.|
000001f0 673a2020 20676172 62616765 20636f6c |g:
garbage col|
00000200 6c656374 0a683a20 20206469 73706c61
|lect.h: displa|
00000210 79207468 69732068 656c7020 6d657373 |y
this help mess|
00000220 6167650a 6c3a2020 2064756d 7020636c
|age.l: dump cl|
00000230 6173736c 6f616465 72206c69 73740a6d
|assloader list.m|
00000240 3a202020 7072696e 74206d65 6d6f7279 |:
print memory|
00000250 20757361 67650a71 3a202020 68696465 |
usage.q: hide|
00000260 20636f6e 736f6c65 0a733a20 20206475 |
console.s: du|
00000270 6d702073 79737465 6d207072 6f706572 |mp
system proper|
00000280 74696573 0a743a20 20206475 6d702074
|ties.t: dump t|
00000290 68726561 64206c69 73740a78 3a202020 |hread
list.x: |
000002a0 636c6561 7220636c 6173736c 6f616465 |clear
classloade|
000002b0 72206361 6368650a 302d353a 20736574 |r
cache.0-5: set|
000002c0 20747261 6365206c 6576656c 20746f20 |
trace level to |
000002d0 3c6e3e0a 2d2d2d2d 2d2d2d2d 2d2d2d2d |<n>.--
----------|
000002e0 2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d |------
----------|
********
00000300 2d2d2d2d 2d2d2d2d 0d0a0d0a |------
--.... |
POST REPLY:
====( 389 bytes transmitted on interface en0 )====
17:48:37.267094409
ETHERNET packet : [ 00:04:ac:e4:a9:f0 ->
00:50:bd:bc:68:00 ] type 800 (IP)
IP header breakdown:
< SRC = 172.25.148.175 > (ibm44p.billerica.esi)
< DST = 172.25.146.131 >
ip_v=4, ip_hl=20, ip_tos=0, ip_len=375,
ip_id=31613, ip_off=0 DF
ip_ttl=60, ip_sum=429e, ip_p = 6 (TCP)
TCP header breakdown:
<source port=80(www), destination port=1623 >
th_seq=e89160b9, th_ack=8153adc6
th_off=5, flags<PUSH | ACK>
th_win=16060, th_sum=5fa5, th_urp=0
00000000 48545450 2f312e31 20343031 20417574
|HTTP/1.1 401 Aut|
00000010 686f7269 7a617469 6f6e2052 65717569
|horization Requi|
00000020 7265640d 0a446174 653a2046 72692c20
|red..Date: Fri, |
00000030 3232204d 61722032 30303220 32323a34 |22
Mar 2002 22:4|
00000040 383a3337 20474d54 0d0a5365 72766572 |8:37
GMT..Server|
00000050 3a204942 4d5f4854 54505f53 45525645 |:
IBM_HTTP_SERVE|
00000060 522f312e 332e3139 2e312020 41706163
|R/1.3.19.1 Apac|
00000070 68652f31 2e332e32 30202855 6e697829
|he/1.3.20 (Unix)|
00000080 0d0a5757 572d4175 7468656e 74696361 |..WWW-
Authentica|
00000090 74653a20 42617369 63207265 616c6d3d |te:
Basic realm=|
000000a0 22536f6e 6f726122 0d0a5757 572d4175
|"Sonora"..WWW-Au|
000000b0 7468656e 74696361 74653a20 42617369
|thenticate: Basi|
000000c0 63207265 616c6d3d 22536f6e 6f726122 |c
realm="Sonora"|
000000d0 0d0a436f 6e74656e 742d4c65 6e677468
|..Content-Length|
000000e0 3a20300d 0a4b6565 702d416c 6976653a |:
0..Keep-Alive:|
000000f0 2074696d 656f7574 3d31352c 206d6178 |
timeout=15, max|
00000100 3d313030 0d0a436f 6e6e6563 74696f6e
|=100..Connection|
00000110 3a204b65 65702d41 6c697665 0d0a436f |:
Keep-Alive..Co|
00000120 6e74656e 742d5479 70653a20 74657874 |ntent-
Type: text|
00000130 2f68746d 6c0d0a43 6f6e7465 6e742d4c
|/html..Content-L|
00000140 616e6775 6167653a 20656e0d 0a0d0a
|anguage: en.... |
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.create a signed applet that tries to post to a WebSphere
application server.
2. post the file and see the plugin authentication request
when the post reply is received.
3.
EXPECTED VERSUS ACTUAL BEHAVIOR :
see the IP trace above. The post request should contain the
authorization string and it does not.
This bug can be reproduced always.
CUSTOMER WORKAROUND :
Since the get request includes the authorization header,
have the the target servlet passs down the authorization
string as an applet parameter and have the applet include
it in all requests. This works but we should not have to
do this!
(Review ID: 144957)
======================================================================
- duplicates
-
JDK-4656979 User must authenticate twice with java plug-in 1.4.0
-
- Closed
-