|Anonymous | Login||2017-03-26 03:36 CEST|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001683||Endian Firewall||Proxy HTTP||public||2009-03-17 13:55||2009-11-25 18:35|
|Target Version||future||Fixed in Version|
|Summary||0001683: Java JRE and NTLM auth|
|Description||Java JRE applications are not working when using Squid with NTLM auth.|
Quick workaround is to add these lines to squid.conf.tmpl around line 298
#Java JRE no-auth
acl java_jvm browser Java/1.4 Java/1.5 Java/1.6
http_access allow java_jvm
http_reply_access allow java_jvm
always_direct allow java_jvm
It won't work using the custom.tmpl because it put itself under the authentication rules.
This is nicer:
acl java_jvm browser Java/[0-9]
|this doesn't happen with all applets.. why??|
edited on: 2009-05-14 10:33
found this on the squid mailinglist:
seams that some javaapplets try to access the inet while starting without authentication.
because of this squid denies the access for the first try (no auth used by java applet). this
causes the java applet to be denied permenently by squid.
looks like the only solution is to whitelist the url or the useragent from authentication :-(
edited on: 2009-04-21 20:21
do you have the same problem when changing to
LDAP -> ActiveDirectory Auth?
is this a specific java-version which doesn't want to work?
As in the mentioned mailing-list the remote-server is on port 443 (https)
is this the same in your situation?
do you have any public sites you can provide as an example?
maybe "basic" together with "ntlm" might resolve the prob as described here:
//email@example.com/msg04962.html">http://firstname.lastname@example.org/msg04962.html [//email@example.com/msg04962.html" target="_blank">^]
|It's possible to have an url to one of that "guilty" applet for debugging purpose?|
edited on: 2009-05-14 10:06
Can someone confirm that the workaround works?
|The workaround works for me. I would like to provide you with the guilty URL but I can't, login/password required...|
if it's only a single url i would whitelist it
opening access for ALL Java* might give some unnamed/undocumented sec-issues
|Yes it's true but it's such an annoying problem.. maybe a sysadmin just want to solve it forever.|
|2009-03-17 13:55||bonald||New Issue|
|2009-03-17 13:55||bonald||Assigned To||=> simon-endian|
|2009-03-17 13:59||bonald||Note Added: 0002053|
|2009-04-21 10:46||luca-endian||Note Added: 0002173|
|2009-04-21 10:56||simon-endian||Note Added: 0002176|
|2009-04-21 20:05||mike-f||Note Added: 0002187|
|2009-04-21 20:21||mike-f||Note Edited: 0002187|
|2009-04-23 17:53||luca-endian||Tag Attached: purple|
|2009-05-13 14:44||luca-endian||Note Added: 0002330|
|2009-05-14 10:05||luca-endian||Note Added: 0002333|
|2009-05-14 10:06||luca-endian||Note Edited: 0002333|
|2009-05-14 10:33||luca-endian||Note Edited: 0002176|
|2009-05-14 13:14||bonald||Note Added: 0002338|
|2009-06-08 17:05||simon-endian||Status||new => acknowledged|
|2009-06-10 01:06||mike-f||Note Added: 0002544|
|2009-06-10 10:26||luca-endian||Note Added: 0002545|
|2009-11-25 18:35||peter-endian||Target Version||=> future|
|Copyright © 2000 - 2012 MantisBT Group|