Basic authentication fails for outgoing proxy in Java 8u111
This Knowledge Base article was written specifically for the Atlassian Server platform. Due to the Restricted functions in Atlassian Cloud apps, the contents of this article cannot be applied to Atlassian Cloud applications.
You want to configure outgoing proxy for any Atlassian product and that proxy requires basic authentication. Assuming that username/pass is correct, but you are still getting error: 407 Proxy Authentication Required
See the stack-trace:
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required" at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
Typical Java environment variables for proxy:
-Dhttp.proxyUser=test -Dhttp.proxyPassword=ping -Dhttp.proxyHost=172.16.47.128 -Dhttp.proxyPort=8080 -Dhttps.proxyUser=test -Dhttps.proxyPassword=ping -Dhttps.proxyHost=172.16.47.128 -Dhttps.proxyPort=808
- Java version 8u111+
You can capture TCP session and you can see that Java doesn't send Proxy-Authorization header. Eg:
CONNECT confluence.atlassian.com:443 HTTP/1.1 User-Agent: Java/1.8.0_92 Host: confluence.atlassian.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Proxy-Connection: keep-alive
In Java 8u111 Basic authentication for HTTPS tunneling was disabled by default.
In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime .. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.
If you still want to use basic authentication for Proxy you can re-enable it.
Add to Java environment: