Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 99034

Summary: WSE support for basic-authenticating firewalls
Product: [WebTools] WTP Webservices Reporter: Chris Brealey <cbrealey>
Component: wst.wsAssignee: Andrew Mak <makandre>
Status: CLOSED FIXED QA Contact:
Severity: major    
Priority: P2 CC: gilberta, matt, pmoogk, sylvain.duguet, WURTHEMM
Version: 0.7   
Target Milestone: 1.5.1 M151   
Hardware: All   
OS: All   
Whiteboard:
Attachments:
Description Flags
build socket for https tunneling none

Description Chris Brealey CLA 2005-06-08 14:46:54 EDT 
Following defect 84945 [1], the Web Services Explorer should be re-equipped 
with the ability to invoke Web service protected by basic authenticating 
firewall proxies. Bug 82037 [2] may also hold an answer to this.

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=84945
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=82037
Comment 1 Chris Brealey CLA 2005-07-06 14:05:15 EDT 
*** Bug 102538 has been marked as a duplicate of this bug. ***
Comment 2 Chris Brealey CLA 2005-09-01 11:48:57 EDT 
Targetting M10.
Comment 3 Chris Brealey CLA 2005-11-15 12:38:22 EST 
Deferring enhancements to WTP 1.5 per the memo "Achieving WTP 1.0 Quality 
Targets" by Arthur Ryman [1].

[1] http://dev.eclipse.org/mhonarc/lists/wtp-dev/msg02831.html
Comment 4 David Williams CLA 2005-12-28 10:29:43 EST 
changing target from 1.5 M1 to 1.5 M5 to reflect new numbering system as we join Collisto.
Comment 5 Chris Brealey CLA 2006-02-28 10:15:08 EST 
Moving to M6. Getting a tad late in M5.
Comment 6 Chris Brealey CLA 2006-03-09 16:19:56 EST 
Changed to a bug. This isn't so much an RFE as it is a deficiency in the WSE which at one time did support basic-auth / https.
Comment 7 Sylvain Duguet CLA 2006-04-11 10:15:08 EDT 
Request for an higher priority, like P1 (not enough rights to do that).
Hoping to make this bug the most squeaky wheel and then get the grease ;-)
Comment 8 Chris Brealey CLA 2006-05-18 11:24:43 EDT 
*** Bug 142511 has been marked as a duplicate of this bug. ***
Comment 9 Chris Brealey CLA 2006-05-18 17:00:54 EDT 
Clearing Target Milestone field and using Whiteboard field to capture desired target: 1.5 RC4.
Comment 10 Chris Brealey CLA 2006-05-30 13:58:36 EDT 
RC4 is effectively closed. Changing outlook (status whiteboard) from 1.5 RC4 to 1.5 RC5.
Comment 11 Chris Brealey CLA 2006-06-01 14:50:14 EDT 
Back to using the target milestone field to indicate intended as well as actual target miletones/RCs. This bug is a candidate for 1.5 RC5.
Comment 12 Chris Brealey CLA 2006-06-14 12:09:53 EDT 
This will be fixed in the WTP 1.5.1 maintenance release. Sylvain, let me know if this interferes with your plans for adopting/using WTP's Web Services Explorer.
Comment 13 Jeffrey Liu CLA 2006-06-15 04:58:25 EDT 
Is this bug really a P1? P1 means release defining.
Comment 14 Sylvain Duguet CLA 2006-06-15 05:39:53 EDT 
Current code (at least 20060508 build) supports basic auth: when receiving a 401 status code from a webservice server, it opens a dialog box to get user login information and uses it in an Authorization header with Basic scheme. That looks fine for me on that point.
*But* https tunneling is not handled as said in a comment above (2006-03-09 16:19). The TODO found in org.eclipse.wst.ws.internal.explorer.platform.wsdl.transport.HTTPTransport.buildSocket(), line 495 is the blocking one for our needs. For https with Proxy authentication (TODO at line 502), same remark applies.
I'd summarize the situation saying that the missing SSL tunneling is blocking, is a P1 and is required for 1.5.
Comment 15 Kathy Chan CLA 2006-06-15 15:15:16 EDT 
Lowering priority.  Chris had confirmation from Sylvain (through e-mail) that targetting this bug to 1.5.1 is OK.
Comment 16 Kathy Chan CLA 2006-08-14 11:18:45 EDT 
Andrew, please take a look at this for WTP 1.5.1.
Comment 17 Andrew Mak CLA 2006-08-23 10:14:16 EDT 
Regarding the TODO on line 495, the comments in bug 84945 indicated that a possible approach is to use Axis runtime as the transport manager.  I have found that the following code will create a socket that will allow us to tunnel through the proxy:

    SocketFactory sf = SocketFactoryFactory.getFactory(HTTPS, new Hashtable());
    s = sf.create(host, port, null, null);

However, this only works when there is no basic authentication.  When I put a TCP/IP monitor between the WSE and the proxy server, this is the request being sent:

    CONNECT castle.torolab.ibm.com:9443 HTTP/1.0
    User-Agent: AxisClient
    Content-Length: 0
    Pragma: no-cache

Clearly, the Proxy-authorization header is missing, even though both https.proxyUserName and https.proxyPassword system properties are set.  I discovered from this page (http://ws.apache.org/axis/java/client-side-axis.html#AxisProperties) that Axis uses http.proxyUser rather than http.proxyUserName.  Setting the https.proxyUser property causes the Proxy-authorization header to be sent, however, the request still got rejected by the proxy server.
Comment 18 Andrew Mak CLA 2006-08-23 10:29:43 EDT 
Created attachment 48465 [details]
build socket for https tunneling

The second option was to build our own tunneling socket, which is what this patch is doing.  Please give it a try.
Comment 19 Andrew Mak CLA 2006-08-23 10:35:47 EDT 
Over to you Peter, thanks.
Comment 20 Peter Moogk CLA 2006-08-23 14:34:13 EDT 
This defect has been reviewed/committed/ and released under v200608231830.
Comment 21 Chris Brealey CLA 2006-09-22 09:15:36 EDT 
Verified on 1.5.1.
Comment 22 Chris Brealey CLA 2006-09-22 09:16:52 EDT 
Closed.