Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001683Endian FirewallProxy HTTPpublic2009-03-17 13:552009-11-25 18:35
Reporterbonald 
Assigned Tosimon-endian 
PrioritynormalSeverityminorReproducibilityalways
StatusacknowledgedResolutionopen 
PlatformOSOS Version
Product Version2.2-rc3 
Target VersionfutureFixed in Version 
Summary0001683: Java JRE and NTLM auth
DescriptionJava JRE applications are not working when using Squid with NTLM auth.

Quick workaround is to add these lines to squid.conf.tmpl around line 298
#Java JRE no-auth
acl java_jvm browser Java/1.4 Java/1.5 Java/1.6
http_access allow java_jvm
http_reply_access allow java_jvm
always_direct allow java_jvm

It won't work using the custom.tmpl because it put itself under the authentication rules.

Tagspurple
Attached Files

- Relationships

-  Notes
(0002053)
bonald (reporter)
2009-03-17 13:59

This is nicer:
acl java_jvm browser Java/[0-9]
(0002173)
luca-endian (developer)
2009-04-21 10:46

this doesn't happen with all applets.. why??
(0002176)
simon-endian (developer)
2009-04-21 10:56
edited on: 2009-05-14 10:33

found this on the squid mailinglist:

www.mail-archive.com/squid-users@squid-cache.org/msg58201.html

seams that some javaapplets try to access the inet while starting without authentication.
because of this squid denies the access for the first try (no auth used by java applet). this
causes the java applet to be denied permenently by squid.

looks like the only solution is to whitelist the url or the useragent from authentication :-(

(0002187)
mike-f (updater)
2009-04-21 20:05
edited on: 2009-04-21 20:21

do you have the same problem when changing to

LDAP -> ActiveDirectory Auth?


is this a specific java-version which doesn't want to work?

As in the mentioned mailing-list the remote-server is on port 443 (https)
is this the same in your situation?
do you have any public sites you can provide as an example?

maybe "basic" together with "ntlm" might resolve the prob as described here:
//www.mail-archive.com/squid-users@squid-cache.org/msg04962.html">http://www.mail-archive.com/squid-users@squid-cache.org/msg04962.html [//www.mail-archive.com/squid-users@squid-cache.org/msg04962.html" target="_blank">^]

(0002330)
luca-endian (developer)
2009-05-13 14:44

It's possible to have an url to one of that "guilty" applet for debugging purpose?
(0002333)
luca-endian (developer)
2009-05-14 10:05
edited on: 2009-05-14 10:06

Can someone confirm that the workaround works?

(0002338)
bonald (reporter)
2009-05-14 13:14

The workaround works for me. I would like to provide you with the guilty URL but I can't, login/password required...
(0002544)
mike-f (updater)
2009-06-10 01:06

if it's only a single url i would whitelist it

opening access for ALL Java* might give some unnamed/undocumented sec-issues
(0002545)
luca-endian (developer)
2009-06-10 10:26

Yes it's true but it's such an annoying problem.. maybe a sysadmin just want to solve it forever.

- Issue History
Date Modified Username Field Change
2009-03-17 13:55 bonald New Issue
2009-03-17 13:55 bonald Assigned To => simon-endian
2009-03-17 13:59 bonald Note Added: 0002053
2009-04-21 10:46 luca-endian Note Added: 0002173
2009-04-21 10:56 simon-endian Note Added: 0002176
2009-04-21 20:05 mike-f Note Added: 0002187
2009-04-21 20:21 mike-f Note Edited: 0002187
2009-04-23 17:53 luca-endian Tag Attached: purple
2009-05-13 14:44 luca-endian Note Added: 0002330
2009-05-14 10:05 luca-endian Note Added: 0002333
2009-05-14 10:06 luca-endian Note Edited: 0002333
2009-05-14 10:33 luca-endian Note Edited: 0002176
2009-05-14 13:14 bonald Note Added: 0002338
2009-06-08 17:05 simon-endian Status new => acknowledged
2009-06-10 01:06 mike-f Note Added: 0002544
2009-06-10 10:26 luca-endian Note Added: 0002545
2009-11-25 18:35 peter-endian Target Version => future

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker