Proxy authentication?

81 views
Skip to first unread message

Thipor Kong

unread,
May 5, 2015, 2:11:10 PM5/5/15
to ceylo...@googlegroups.com
Hello,

my proxy server requires authentication, but the configuration items proxy.{user,password} mentioned in the documentation [1] seem not to be working with 1.1.0.

After reading the source code I believe it's not implemented yet:
  • There is a class com.redhat.ceylon.common.config.Authentication [2] which is meant to capture the proxy authentication settings, and it offers methods getProxyAuthentication() and installProxy() for accessing/using these settings
  • But installProxy() is only used in some test code (ProxyTool.java) and getProxyAuthentication() is used nowhere outside of Authentication.java
Are there any current plans to implement this in the near future?

Just to get going, I did extend CeylonConfig.createFromLocalDir() to make a call to Authentication.installProxy() each time a configuration is loaded.
But I believe this workaround is only a quick hack, because installProxy() sets the system-wide default ProxySelector and Authenticator, and we can't assume Ceylon to own the JVM exclusively (e.g. when running as plugin in the Eclipse IDE), and configurations anyways have Thread-local scope only when retrieved via CeylonConfig.get().

Maybe there are other solutions out there?

Thanks and regards,

Thipor

Tako Schotanus

unread,
May 5, 2015, 3:22:01 PM5/5/15
to ceylon-dev
Hi Thipor,


I'm currently looking if this is something I can fix quickly.
Would you be willing/able to test if it works?
(This would mean compiling Ceylon from source)


-Tako

--
You received this message because you are subscribed to the Google Groups "ceylon-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ceylon-dev+...@googlegroups.com.
To post to this group, send email to ceylo...@googlegroups.com.
Visit this group at http://groups.google.com/group/ceylon-dev.
To view this discussion on the web visit https://groups.google.com/d/msgid/ceylon-dev/2cf783e7-adfb-4861-adde-119bc04b3e99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tako Schotanus

unread,
May 5, 2015, 3:57:17 PM5/5/15
to ceylon-dev
I just pushed some code to master that I think should do the trick.
BUT it's completely untested so chances are that it won't work.
I don't have time myself right now to set up a proxy and add tests etc.
But feel free to try it :)


-Tako

Tako Schotanus

unread,
May 5, 2015, 8:33:03 PM5/5/15
to ceylon-dev
Bummer, you're right.
No time anymore to see if there's some way to still use a non-global setup for proxy+authentication, otherwise we're stuck.


-Tako

On Wed, May 6, 2015 at 2:20 AM, Thipor Kong <thi...@kong.name> wrote:
Hi Tako,

thank you very much for the quick response! I have built everything from source and will try it out tomorrow.

My understanding of the changes is that you are now making explicit, which proxy is to be used and that this proxy is being looked up via DefaultToolOptions.getDefaultProxy() -> Authentication.getProxy(). I'm afraid that this is not sufficient, because I believe that authentication information for the proxy is still taken from the system-wide default java.net.Authenticator and there is no Authenticator being installed. But tomorrow's test will show.

Kind regards,

Thipor

Tako Schotanus

unread,
May 5, 2015, 8:34:13 PM5/5/15
to ceylon-dev
(sorry wasn't being clear in my last message, no time anymore *today* because I'm going to bed heh)


-Tako

Thipor Kong

unread,
May 6, 2015, 12:41:49 PM5/6/15
to ceylo...@googlegroups.com, ta...@codejive.org
As expected, my tests of https://github.com/ceylon/ceylon-module-resolver/issues/38 failed due to missing credentials.

My understanding of the underlying problem is, that java.net.URL.openConnection() is tightly coupled to the system-wide java.net.Authenticator via the returned HttpURLConnection [1].
So if we wanted to eliminate our dependency on the Authenticator, we'd have to eliminate our dependency on URL.openConnection().

I found only 11 occurences of URL.openConnection() in ceylon-dist code:
Maybe it's possible to use HttpClient instead, which provides better configurability for proxy connections [2]?

If you find this idea interesting and need some help, I'd be prepared to take a shot on prototyping this idea.

Kind regards,

Thipor

Tako Schotanus

unread,
May 6, 2015, 12:49:32 PM5/6/15
to ceylon-dev
Hi Thipor,

yes that something that's definitely an option (see the discussion on https://github.com/ceylon/ceylon-module-resolver/issues/38 ) but it's not see much the code itself which is the problem, that is changed easily enough I guess. We're more worried about the extra dependencies that would mean for the base system.
Now you could argue (correctly) that we already ship the Apache client anyway so that wouldn't pose too much of a problem, but right now that dependency is optional, changing this would make it (and *its* dependencies) required. Which is not a decision to take too lightly.

As mentioned in the issue we could consider making our own contained implementation of proxy authentication on top of HttpURLConnection, but we don't know how much of a can of worms that would be.

So unfortunately I don't think this will be part of the 1.2 release (unless my colleagues disagree). Which means that you'll have to stick to passing -Dhttp.proxy parameters to the runtime for the time being.



-Tako

Stephane Epardaud

unread,
May 6, 2015, 1:03:08 PM5/6/15
to ceylon-dev
Where do we depend on Apache HttpClient?

To view this discussion on the web visit https://groups.google.com/d/msgid/ceylon-dev/CAOJRyvqiVvUsVn%2BrR_RZ7e8hfebU-fJboMc_mPB2FWx6nuPM9w%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Stéphane Épardaud

Tako Schotanus

unread,
May 6, 2015, 1:04:19 PM5/6/15
to ceylon-dev
The Aether stuff does.


-Tako

To view this discussion on the web visit https://groups.google.com/d/msgid/ceylon-dev/CAKU9E9sPRVCHN5FsNDgdyKcpUy2tkU7cKyJnqkhZG-0XOM_VtQ%40mail.gmail.com.

Thipor Kong

unread,
May 6, 2015, 1:15:24 PM5/6/15
to ceylo...@googlegroups.com, ta...@codejive.org
Yes, I fully understand your considerations.  Sadly, the -Dhttp.proxy parameters can't be used to set proxy credentials.
So it's a tradeoff between software complexity and supporting highly regulated enterprise environments... ;-)

Stephane Epardaud

unread,
May 6, 2015, 1:15:32 PM5/6/15
to ceylon-dev
Ah, OK.

To view this discussion on the web visit https://groups.google.com/d/msgid/ceylon-dev/CAOJRyvrgGjf2yOtn15Jcqs%2BoFoGC7-odTnerx9cj2xyHYmV7%2Bg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Stéphane Épardaud

Tako Schotanus

unread,
May 6, 2015, 1:39:40 PM5/6/15
to Thipor Kong, ceylon-dev

On Wed, May 6, 2015 at 7:15 PM, Thipor Kong <thi...@kong.name> wrote:
Sadly, the -Dhttp.proxy parameters can't be used to set proxy credentials.

Ah yes, I saw so many references to "http.proxyUser" that I thought it was enabled by default.

I wonder if we should just add a temporary hack where you can pass "-Dceylon.installProxy=true" on the command line which would then at least install those global hooks. Not pretty but it would work for common cases.

-Tako

Thipor Kong

unread,
May 6, 2015, 1:56:44 PM5/6/15
to ceylo...@googlegroups.com
Yes, this would be a pragmatic solution!
Reply all
Reply to author
Forward
0 new messages