P3
The java plugin will not connect (an exception will be thrown) to the http URL outside the firewall under the following circumstances:
1. The socks proxy is specified in the PLUGIN CONTROL PANEL
2. The http proxy is specified in the PLUGIN CONTROL PANEL
However, the plugin will work if both proxies are set using
-D properties to the java runtime (and not through the control
panel). Same setup works fine in appletviewer since appletviewer
doesn't have a control panel.
To reproduce:
- please use Netscape 6 with the JDK 1.4 plugin
- set the proxies in the plugin control panel to:
socks: scaea-socks-1.sun.com port 1080
http: wcscaa.sfbay.sun.com port 8080
- type http://www.chessclub.com/CoffeeHouse.html in the browser
You will see the following exception in java console:
======================================================================
java.net.SocketException: SOCKS: Connection not allowed by ruleset
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:405)
at java.net.Socket.connect(Socket.java:425)
at java.net.Socket.connect(Socket.java:375)
at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
at sun.plugin.net.protocol.http.HttpClient.doConnect(HttpClient.java:95)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:366)
at sun.net.www.http.HttpClient$3.run(HttpClient.java:415)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.http.HttpClient.privilegedOpenServer(HttpClient.java:412)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:559)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:292)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:253)
at sun.plugin.net.protocol.http.HttpClient.<init>(HttpClient.java:41)
at sun.plugin.net.protocol.http.HttpClient.New(HttpClient.java:68)
at sun.plugin.net.protocol.http.HttpURLConnection.privBlock(HttpURLConnection.java:105)
at sun.plugin.net.protocol.http.HttpURLConnection$PrivilegedBlockAction.run(HttpURLConnection.java:378)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.net.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:149)
at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:309)
at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:311)
at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:131)
at sun.plugin.cache.JarCache.get(JarCache.java:177)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:71)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:56)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:498)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:459)
at sun.misc.URLClassPath$2.run(URLClassPath.java:255)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:244)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:221)
at sun.misc.URLClassPath.getResource(URLClassPath.java:134)
at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:132)
at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:473)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
at sun.applet.AppletPanel.run(AppletPanel.java:290)
at java.lang.Thread.run(Thread.java:536)
=======================================================================
a) You see this exception because the plugin will attempt to make the
following connection: plugin -> socks proxy -> http proxy -> external URL.
However, socks proxy "scaea-socks-1" doesn't allow connections to inside the firewall (this is a typical config). So, such connection will fail. This is
CORRECT behavior.
However, after that the code executed by plugin returns with an error and
the exception above is thrown. This is NOT CORRECT.
b) However, if the proxies are set using -D options (and not through the plugin
control panel), then HttpClient's openServer() will ignore the "connection fail" IOException and will fall back to the following logic:
plugin -> socks proxy -> external URL
to see this, delete the "http proxy" setting in the control panel and set
it through the -Dhttp.proxyHost option of java runtime, you will see that
the applet will load or try the following appletviewer command:
appletviewer -J-DsocksProxyHost=scaea-socks-1 -J-Dhttp.proxyHost=wcscaa
-J-Dhttp.proxyPort=8080 http://www.chessclub.com/CoffeeHouse.html
The applet will load as well.
c) In the first case(the erroneous one), HttpClient.openServer() should also behave as in scenario "b)":
if the http proxy is specified using the Plugin Control Panel (namely "instProxy"), then it should ignore the exception and try direct connection:
plugin -> socks proxy -> external URL
Here's the existing code:
/sun/net/www/http/HttpClient.java:
*************************************************************
protected synchronized void openServer() throws IOException {
.....
if (url.getProtocol().equals("http") ||
url.getProtocol().equals("https") ) {
if ((instProxy != null) && !loopback) {
privilegedOpenServer(instProxy, instProxyPort);
usingProxy = true;
return;
}
String proxyHost = getProxyHost();
if ((proxyHost != null) &&
(!(proxyDisabled ||
loopback ||
matchNonProxyHosts(urlHost) ||
matchNonProxyHosts(host)))) {
try {
int proxyPort = getProxyPort();
privilegedOpenServer(proxyHost, proxyPort);
instProxy = proxyHost;
instProxyPort = proxyPort;
usingProxy = true;
return;
} catch (IOException e) {
// continue in this case - try locally
}
}
// try locally - let Exception get raised
openServer(host, port);
usingProxy = false;
return;
....
******************************************************
Here's how it can be changed to fix the problem:
======================================================
if (url.getProtocol().equals("http") ||
url.getProtocol().equals("https") ) {
try {
if ((instProxy != null) && !loopback) {
privilegedOpenServer(instProxy, instProxyPort);
usingProxy = true;
return;
}
} catch (IOException e) {
// continue in this case - try locally
// try locally - let Exception get raised
// this case is not any different from
// using -Dhttp.proxyHost below and should
// be handled the same way
openServer(host, port);
usingProxy = false;
return;
}
String proxyHost = getProxyHost();
if ((proxyHost != null) &&
(!(proxyDisabled ||
loopback ||
matchNonProxyHosts(urlHost) ||
matchNonProxyHosts(host)))) {
try {
int proxyPort = getProxyPort();
privilegedOpenServer(proxyHost, proxyPort);
instProxy = proxyHost;
instProxyPort = proxyPort;
usingProxy = true;
return;
} catch (IOException e) {
// continue in this case - try locally
}
}
// try locally - let Exception get raised
openServer(host, port);
usingProxy = false;
return;
===============================================================
1. The socks proxy is specified in the PLUGIN CONTROL PANEL
2. The http proxy is specified in the PLUGIN CONTROL PANEL
However, the plugin will work if both proxies are set using
-D properties to the java runtime (and not through the control
panel). Same setup works fine in appletviewer since appletviewer
doesn't have a control panel.
To reproduce:
- please use Netscape 6 with the JDK 1.4 plugin
- set the proxies in the plugin control panel to:
socks: scaea-socks-1.sun.com port 1080
http: wcscaa.sfbay.sun.com port 8080
- type http://www.chessclub.com/CoffeeHouse.html in the browser
You will see the following exception in java console:
======================================================================
java.net.SocketException: SOCKS: Connection not allowed by ruleset
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:405)
at java.net.Socket.connect(Socket.java:425)
at java.net.Socket.connect(Socket.java:375)
at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
at sun.plugin.net.protocol.http.HttpClient.doConnect(HttpClient.java:95)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:366)
at sun.net.www.http.HttpClient$3.run(HttpClient.java:415)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.http.HttpClient.privilegedOpenServer(HttpClient.java:412)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:559)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:292)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:253)
at sun.plugin.net.protocol.http.HttpClient.<init>(HttpClient.java:41)
at sun.plugin.net.protocol.http.HttpClient.New(HttpClient.java:68)
at sun.plugin.net.protocol.http.HttpURLConnection.privBlock(HttpURLConnection.java:105)
at sun.plugin.net.protocol.http.HttpURLConnection$PrivilegedBlockAction.run(HttpURLConnection.java:378)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.net.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:149)
at sun.plugin.net.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:309)
at sun.plugin.net.protocol.http.HttpUtils.followRedirects(HttpUtils.java:39)
at sun.plugin.cache.CachedJarLoader.download(CachedJarLoader.java:311)
at sun.plugin.cache.CachedJarLoader.load(CachedJarLoader.java:131)
at sun.plugin.cache.JarCache.get(JarCache.java:177)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(CachedJarURLConnection.java:71)
at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(CachedJarURLConnection.java:56)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClassPath.java:498)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:459)
at sun.misc.URLClassPath$2.run(URLClassPath.java:255)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:244)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:221)
at sun.misc.URLClassPath.getResource(URLClassPath.java:134)
at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
at sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:132)
at sun.plugin.security.PluginClassLoader.findClass(PluginClassLoader.java:189)
at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
at sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:112)
at java.lang.ClassLoader.loadClass(ClassLoader.java:262)
at sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:473)
at sun.applet.AppletPanel.createApplet(AppletPanel.java:548)
at sun.plugin.AppletViewer.createApplet(AppletViewer.java:1621)
at sun.applet.AppletPanel.runLoader(AppletPanel.java:477)
at sun.applet.AppletPanel.run(AppletPanel.java:290)
at java.lang.Thread.run(Thread.java:536)
=======================================================================
a) You see this exception because the plugin will attempt to make the
following connection: plugin -> socks proxy -> http proxy -> external URL.
However, socks proxy "scaea-socks-1" doesn't allow connections to inside the firewall (this is a typical config). So, such connection will fail. This is
CORRECT behavior.
However, after that the code executed by plugin returns with an error and
the exception above is thrown. This is NOT CORRECT.
b) However, if the proxies are set using -D options (and not through the plugin
control panel), then HttpClient's openServer() will ignore the "connection fail" IOException and will fall back to the following logic:
plugin -> socks proxy -> external URL
to see this, delete the "http proxy" setting in the control panel and set
it through the -Dhttp.proxyHost option of java runtime, you will see that
the applet will load or try the following appletviewer command:
appletviewer -J-DsocksProxyHost=scaea-socks-1 -J-Dhttp.proxyHost=wcscaa
-J-Dhttp.proxyPort=8080 http://www.chessclub.com/CoffeeHouse.html
The applet will load as well.
c) In the first case(the erroneous one), HttpClient.openServer() should also behave as in scenario "b)":
if the http proxy is specified using the Plugin Control Panel (namely "instProxy"), then it should ignore the exception and try direct connection:
plugin -> socks proxy -> external URL
Here's the existing code:
/sun/net/www/http/HttpClient.java:
*************************************************************
protected synchronized void openServer() throws IOException {
.....
if (url.getProtocol().equals("http") ||
url.getProtocol().equals("https") ) {
if ((instProxy != null) && !loopback) {
privilegedOpenServer(instProxy, instProxyPort);
usingProxy = true;
return;
}
String proxyHost = getProxyHost();
if ((proxyHost != null) &&
(!(proxyDisabled ||
loopback ||
matchNonProxyHosts(urlHost) ||
matchNonProxyHosts(host)))) {
try {
int proxyPort = getProxyPort();
privilegedOpenServer(proxyHost, proxyPort);
instProxy = proxyHost;
instProxyPort = proxyPort;
usingProxy = true;
return;
} catch (IOException e) {
// continue in this case - try locally
}
}
// try locally - let Exception get raised
openServer(host, port);
usingProxy = false;
return;
....
******************************************************
Here's how it can be changed to fix the problem:
======================================================
if (url.getProtocol().equals("http") ||
url.getProtocol().equals("https") ) {
try {
if ((instProxy != null) && !loopback) {
privilegedOpenServer(instProxy, instProxyPort);
usingProxy = true;
return;
}
} catch (IOException e) {
// continue in this case - try locally
// try locally - let Exception get raised
// this case is not any different from
// using -Dhttp.proxyHost below and should
// be handled the same way
openServer(host, port);
usingProxy = false;
return;
}
String proxyHost = getProxyHost();
if ((proxyHost != null) &&
(!(proxyDisabled ||
loopback ||
matchNonProxyHosts(urlHost) ||
matchNonProxyHosts(host)))) {
try {
int proxyPort = getProxyPort();
privilegedOpenServer(proxyHost, proxyPort);
instProxy = proxyHost;
instProxyPort = proxyPort;
usingProxy = true;
return;
} catch (IOException e) {
// continue in this case - try locally
}
}
// try locally - let Exception get raised
openServer(host, port);
usingProxy = false;
return;
===============================================================
- duplicates
-
JDK-4097826 SOCKS support inadequate
-
- Resolved
-