Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8065994

HTTP Tunnel connection to NTLM proxy reauthenticates instead of using keep-alive

    Details

    • Subcomponent:
    • Resolved In Build:
      b48

      Backports

        Description

        Submitter uses HttpURLConnection to connect from a Swing GUI to an application server.
        The connection supports tunneling HTTPS through an NTLM proxy.

        The GUI uses a local copy of the Java JRE, and uses the HttpURLConnection class

        The connection should use keep-alive by default since the client, proxy and server are all using HTTP/1.1. A single socket should be opened from the GUI and multiple HTTP requests should use the same socket.

        Before Java 1.7.0_40, the HTTPS tunnel through the NTLM proxy would do NTLM authentication on the initial CONNECT request, but not on the following HTTP requests. The GUI would open a single socket and reuse it.

        In Java 1.7.0_40 and all later JRE versions, including JRE for 1.7.0_72 and 1.8.0_20, each request results in the GUI sending a new CONNECT request to the proxy server, doing the NTLM authentication (successfully), and then creating a new tunnel and new socket to the server.

        The problem this causes is that the requests take much longer because it has to create a new socket, and do the SSL handshake with the server. The request time for the second and subsequent requests should normally be around 100ms, but because of the problem, they take 3-4 seconds.

        The HTTP headers between the GUI and the proxy servers appear identical in all the JRE versions, but the Java client's behavior is different.

        The last good JRE is 1.7.0_25. All versions before that work also OK.
        1.6.0_26
        1.7.0.17
        1.7.0_21
        1.7.0_25

        Tested all versions after that that were available for download, and none of them work.
        1.7.0_40
        1.7.0_45
        1.7.0_51
        1.7.0_67
        1.7.0_71
        1.7.0_72
        1.8.0_20

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  coffeys Sean Coffey
                  Reporter:
                  shadowbug Shadow Bug
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: