top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Webapp HTTP proxy authentication

+1 vote
440 views

We're developing webapp running on Tomcat 7. The apps use third-party components that we can't modify and those components connect to external sites using HTTP.

We have a policy of routing all outbound traffic through an authenticating HTTP proxy. This is a bit of problem for us since the Oracle Java 7 JVM doesn't support configuring proxy authentication on the JVM level (using e.g. system properties).

One possible workaround I could think of is to create a custom javaagent that would set a default java.net.Authenticator in premain() method. This approach appears to work in a command line program that uses HttpURLConnection, but are there any potential caveats to this method when used with webapps running in Tomcat? One shortcoming is that the same Authenticator would be used for all webapps in the JVM, but this is something we can live with.

posted Aug 16, 2013 by Luv Kumar

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

How about a ServletContextListener?

http://docs.oracle.com/javaee/6/api/javax/servlet/ServletContextListener.html

or a LifecycleListener?

https://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html

Either one should allow you to configure your proxy settings before your applications start.

answer Aug 17, 2013 by Dewang Chaudhary
Similar Questions
0 votes

Question about the http authentication when using the subversion api 1.8.13.

For example using the svn_client_list3' function: Everytime this function is called the first http request does not contain any Authorization header which leads to a 401 Authorization Required' response.

In my opinion this leads to an unnecessary delay when the function is called multiple times and the same credentials could be used.

When calling this function the svn_client_ctx_t contains an svn_auth_baton_t with set default username and default password parameters.

Now to my actual question:

Can this behaviour somehow be changed or is it just designed to work this way? I also know that the version I'm using is not the newest one so if you think an upgrade to a newer version could lead to some performance improvement please let me know.

+2 votes

I have task to validate or parse following http header

Accept
Accept-Charset
Accept-Encoding
Accept-Language
Accept-Datetime
Content-Length
Content-MD5
Content-Type

lets take Accept-Language as an example , if header language comes other than en-us I should reject the request with customized code response.

let me know ways to achieve the task? can we do with any configuration files?
We are using tomcat 6.0.18

+1 vote

1) I'd have a question on how to set up a reverse proxy to a http 1.0 in the cleanest most standard conforming way.

AFAIU, strict HTTP 1.0 has neither persistent connections / keep-alives
- a connection ends after a single request has been responded. Neither does it have Host: headers.

a) Do I need to tell the reverse-proxy about this? Do I have to set:
- ProxyPass' disablereuse=on and/or
- force-proxy-request-1.0 and/or
- proxy-nokeepalive and/or
- proxy-sendcl

Or is one of them enough? E.g. when I set force-proxy-request-1.0... all the others are implicitly set?

b) Do I need to set proxy-initial-not-pooled?
Cause I get the error mentioned there,... interestingly that seems to be independent of the backend/origin server... and dependent on the client.

c) So, strictly speaking, I could not use name-based vhosting, right?

2) Further, when a client talks to the reverse proxy in HTTP 1.0 it should get the reply in 1.0 either. And when it talk to it in 1.1, it should get it in 1.1.

Would Apache do this automatically, or would it answer a 1.0 request with a 1.1 response?
So do I have to set: force-response-1.0 ?

3) The origin server to which I connect is single threaded, i.e. it will only process one request at a time. So Apache shouldn't connect more than once concurrently, as it would simply block. How do I get this? The keep-alive options above probably don't help here... Is the solution to set ProxyPass' max=1 ?

0 votes

Is that possible create a http tunnel to remote http tunnel server via a middle http proxy?

Here is my situation :
My Company only allow http protocol and they created a http proxy server. So when we want to access internet we have to set the http proxy settings for the browser or application.

Now I want to access outside without restrictions of http protocol and also not limited to 80 port. As they blocked the ssh, so the SSH reverse binding is not possible. So is that possible to create a http tunnel via the http proxy of my company and aim to my own server outside?

...