-
Bug
-
Resolution: Fixed
-
P4
-
5.0
-
b57
-
x86
-
windows_2000, windows_xp
Name: gm110360 Date: 04/29/2004
FULL PRODUCT VERSION :
java version "1.5.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-beta-b32c)
Java HotSpot(TM) Client VM (build 1.5.0-beta-b32c, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195] for client and server machines.
EXTRA RELEVANT SYSTEM CONFIGURATION :
Web server must have "Client certificate required" option set.
Using MS Internet Explorer 6.0.2800.1106 (SP1). Other IE 6.0 also used.
A DESCRIPTION OF THE PROBLEM :
An applet that uses an HttpURLConnection to send a request to a server causes a popup dialog to appear at the browser for every request sent. The dialog asks the user to select a user certificate to present to the server. This would be OK for the first request, but EVERY request triggers this dialog. Since there may be hundreds of HTTP requests during a session, this behaviour makes the applet virtually unuseable.
The applet code gets a HttpURLConnection object for each request using URL.openConnection() and its "Keep-Alive" header property is set, however the objects do not appear to be cached and reused. This may be related to bug #4814794 which describes a similar problem for JRE 1.4.x.
Other pages not using an applet (html, jsp, etc.) work properly in that the browser does not repeatedly popup the dialog for every request. The same SSL session is shared between the applet and JSP pages.
The effect of this problem is that the JRE 1.5 plugin cannot be used in a secure web environment where the applet makes HTTP requests to a server that requires client certificates.
The older 1.3.1x JRE plugin did not have this problem but it is not a desireable option to regress to that version for other reasons. The 1.4.x JRE plugin does not handle browser certificates at all and cannot be used.
This is a business critical issue for us.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set your web server to "Require client certificates". This requires that a client present a user certificate to the web server otherwise connections will be denied.
Create a test applet that uses an HttpURLConnection object to send a request to the web server. Call URL.openConnection() to get the connection for each request.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
HTTP requests made by the applet should be sent to the web server without invoking the browsers Client Authentication (browser certificate list) dialog except perhaps for the first request.
ACTUAL -
Every HTTP request made by the applet causes the Client Authentication dialog to appear, requiring user input. All non-applet web page requests within the same session do not cause the dialog to popup.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
No error messages, just annoying redundant user dialog interaction.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Create an applet with a button that invokes an HTTP request similar to the following:
protected String cookie_; // instance variable
// THE REQUEST
URLConnection con = null;
ObjectOutputStream out = null;
try
{
// Get connection to server
URL url = new URL("server-that-requires-client-certificates/");
con = url.openConnection();
con.setDoInput(true);
con.setDoOutput(true);
con.setUseCaches(false);
con.setRequestProperty(Headers.CONNECTION_HDR, "Keep-Alive");
// If we saved a cookie previously obtained from the
// server, add it to this request to maintain the session.
if (cookie_ != null)
{
// Send session cookie back to server
con.setRequestProperty(Headers.COOKIE_REQUEST_HDR, cookie_);
}
// Send a dummy test object as the request
HashMap map = new HashMap();
map.put("test_object", map);
con.setRequestProperty(Headers.CONTENT_TYPE_HDR, ContentTypes.CONTENT_JAVA);
out = new ObjectOutputStream(con.getOutputStream());
// Send test object as HTTP POST to servlet
out.writeObject(map);
out.flush();
catch (Exception e)
{
System.err.println("Error in HTTP request: " + e);
}
finally
{
try { if (out != null) out.close(); } catch (IOException e) {}
}
// THE REPLY -- probably will not get here, not important for test
Object result = null;
ObjectInputStream in = null;
try
{
// Create an object input stream
in = new ObjectInputStream(con.getInputStream());
// Retrieve object reply
result = in.readObject();
// If a cookie is sent from the server, save it
String s = con.getHeaderField(Headers.COOKIE_RESPONSE_HDR);
if (s != null)
{
cookie_ = s;
}
}
catch (Exception e)
{
System.err.println("Error in HTTP reply: " + e);
}
finally
{
try { if (in != null) in.close(); } catch (IOException e) {}
}
---------- END SOURCE ----------
(Incident Review ID: 260099)
======================================================================
FULL PRODUCT VERSION :
java version "1.5.0-beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0-beta-b32c)
Java HotSpot(TM) Client VM (build 1.5.0-beta-b32c, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195] for client and server machines.
EXTRA RELEVANT SYSTEM CONFIGURATION :
Web server must have "Client certificate required" option set.
Using MS Internet Explorer 6.0.2800.1106 (SP1). Other IE 6.0 also used.
A DESCRIPTION OF THE PROBLEM :
An applet that uses an HttpURLConnection to send a request to a server causes a popup dialog to appear at the browser for every request sent. The dialog asks the user to select a user certificate to present to the server. This would be OK for the first request, but EVERY request triggers this dialog. Since there may be hundreds of HTTP requests during a session, this behaviour makes the applet virtually unuseable.
The applet code gets a HttpURLConnection object for each request using URL.openConnection() and its "Keep-Alive" header property is set, however the objects do not appear to be cached and reused. This may be related to bug #4814794 which describes a similar problem for JRE 1.4.x.
Other pages not using an applet (html, jsp, etc.) work properly in that the browser does not repeatedly popup the dialog for every request. The same SSL session is shared between the applet and JSP pages.
The effect of this problem is that the JRE 1.5 plugin cannot be used in a secure web environment where the applet makes HTTP requests to a server that requires client certificates.
The older 1.3.1x JRE plugin did not have this problem but it is not a desireable option to regress to that version for other reasons. The 1.4.x JRE plugin does not handle browser certificates at all and cannot be used.
This is a business critical issue for us.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set your web server to "Require client certificates". This requires that a client present a user certificate to the web server otherwise connections will be denied.
Create a test applet that uses an HttpURLConnection object to send a request to the web server. Call URL.openConnection() to get the connection for each request.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
HTTP requests made by the applet should be sent to the web server without invoking the browsers Client Authentication (browser certificate list) dialog except perhaps for the first request.
ACTUAL -
Every HTTP request made by the applet causes the Client Authentication dialog to appear, requiring user input. All non-applet web page requests within the same session do not cause the dialog to popup.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
No error messages, just annoying redundant user dialog interaction.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Create an applet with a button that invokes an HTTP request similar to the following:
protected String cookie_; // instance variable
// THE REQUEST
URLConnection con = null;
ObjectOutputStream out = null;
try
{
// Get connection to server
URL url = new URL("server-that-requires-client-certificates/");
con = url.openConnection();
con.setDoInput(true);
con.setDoOutput(true);
con.setUseCaches(false);
con.setRequestProperty(Headers.CONNECTION_HDR, "Keep-Alive");
// If we saved a cookie previously obtained from the
// server, add it to this request to maintain the session.
if (cookie_ != null)
{
// Send session cookie back to server
con.setRequestProperty(Headers.COOKIE_REQUEST_HDR, cookie_);
}
// Send a dummy test object as the request
HashMap map = new HashMap();
map.put("test_object", map);
con.setRequestProperty(Headers.CONTENT_TYPE_HDR, ContentTypes.CONTENT_JAVA);
out = new ObjectOutputStream(con.getOutputStream());
// Send test object as HTTP POST to servlet
out.writeObject(map);
out.flush();
catch (Exception e)
{
System.err.println("Error in HTTP request: " + e);
}
finally
{
try { if (out != null) out.close(); } catch (IOException e) {}
}
// THE REPLY -- probably will not get here, not important for test
Object result = null;
ObjectInputStream in = null;
try
{
// Create an object input stream
in = new ObjectInputStream(con.getInputStream());
// Retrieve object reply
result = in.readObject();
// If a cookie is sent from the server, save it
String s = con.getHeaderField(Headers.COOKIE_RESPONSE_HDR);
if (s != null)
{
cookie_ = s;
}
}
catch (Exception e)
{
System.err.println("Error in HTTP reply: " + e);
}
finally
{
try { if (in != null) in.close(); } catch (IOException e) {}
}
---------- END SOURCE ----------
(Incident Review ID: 260099)
======================================================================
- duplicates
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Resolved
-