P3
FULL PRODUCT VERSION :
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Reproduced on Windows XP and 2003.
A DESCRIPTION OF THE PROBLEM :
As documented on bugs 6565562 and 6558862, a HEAD request is being generated when basicService.showDocument is called. If the url passed requires authentication, java asks for authentication (Basic Authentication scheme) and when the browser is called a second authentication dialog from the browser shows up.
On the first authentication dialog, if cancel is hit, it stills open the url with the web browser. A sniffer trace shows the first authentication (coming from java) happens after the HEAD request but before the GET request.
It is not acceptable that showDocument challenges for authentication if the browser is going to challenge again for the very same credentials, not to mention the fact that if the cancel button is hit on the first authentication dialog the result is the same as if the credentials entered were valid.
From the evaluations from bugs 6565562 and 6558862, the HEAD request is there to check if the url points to a jnlp file; at a minimum, there should be an extra parameter to avoid that check and the respective HEAD request which in turn will avoid the double authentication issue.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Request a web page using basicService.showDocument using a url that requires authentication.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Only the browser should ask for authentication.
ACTUAL -
Java ask for authentication, then the browser. If the cancel button is hit on the java dialog, the browser is still launched and asks for authentication.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import java.io.*;
import java.net.*;
import javax.jnlp.*;
public class Test {
static BasicService basicService = null;
public static void main(String args[]) {
JFrame frame = new JFrame("Test");
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
Container content = frame.getContentPane();
try {
basicService = (BasicService)
ServiceManager.lookup("javax.jnlp.BasicService");
} catch (UnavailableServiceException e) {
System.err.println("Lookup failed: " + e);
}
try {
URL url = new URL({Your URL goes here});
basicService.showDocument(url);
} catch (MalformedURLException ignored) {
}
frame.pack();
frame.show();
}
}
---------- END SOURCE ----------
SUPPORT :
YES
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Reproduced on Windows XP and 2003.
A DESCRIPTION OF THE PROBLEM :
As documented on bugs 6565562 and 6558862, a HEAD request is being generated when basicService.showDocument is called. If the url passed requires authentication, java asks for authentication (Basic Authentication scheme) and when the browser is called a second authentication dialog from the browser shows up.
On the first authentication dialog, if cancel is hit, it stills open the url with the web browser. A sniffer trace shows the first authentication (coming from java) happens after the HEAD request but before the GET request.
It is not acceptable that showDocument challenges for authentication if the browser is going to challenge again for the very same credentials, not to mention the fact that if the cancel button is hit on the first authentication dialog the result is the same as if the credentials entered were valid.
From the evaluations from bugs 6565562 and 6558862, the HEAD request is there to check if the url points to a jnlp file; at a minimum, there should be an extra parameter to avoid that check and the respective HEAD request which in turn will avoid the double authentication issue.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Request a web page using basicService.showDocument using a url that requires authentication.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Only the browser should ask for authentication.
ACTUAL -
Java ask for authentication, then the browser. If the cancel button is hit on the java dialog, the browser is still launched and asks for authentication.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import java.io.*;
import java.net.*;
import javax.jnlp.*;
public class Test {
static BasicService basicService = null;
public static void main(String args[]) {
JFrame frame = new JFrame("Test");
frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
Container content = frame.getContentPane();
try {
basicService = (BasicService)
ServiceManager.lookup("javax.jnlp.BasicService");
} catch (UnavailableServiceException e) {
System.err.println("Lookup failed: " + e);
}
try {
URL url = new URL({Your URL goes here});
basicService.showDocument(url);
} catch (MalformedURLException ignored) {
}
frame.pack();
frame.show();
}
}
---------- END SOURCE ----------
SUPPORT :
YES