Name: pa48320 Date: 10/03/2002

In a network configuration with a firewall where the proxy server is configured with multiple authentication schemes the plugin has a good chance of not being able to connect to the webserver to get the class file. This problem occurs most regularly with the MS ISA proxy server. This server is configured to authenticate using NTLM as well as Basic and Digest authentications. When the plugin attemts to connect to the webserver it receives a 407 response with several Proxy-Authenticate headers as follows:
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="proxy1.site.org"
Proxy-Authenticate: Digest qop="auth", realm="proxy1.site.org", nonce="08923450982072304702397...."
Proxy-Authenticate: Kerberos
Proxy-Authenticate: Negotiate

According to the code in sun.net.www.protocal.http.HttpURLConnection.getHttpProxyAuthentication() the headers are searched for Proxy-Authenticate. This search uses sun.net.www.MessageHeader.findValue() which only returns the first header it finds. This code needs to walk through the headers until it finds one that it can use. In fact it should walk through with some idea of which is best since it seems that the list provided by the proxy server is not orderable.
Note that the http1.1 spec seems quite clear in allowing multiple fields of this type in the header.

======================================================================