Basic authentication fails for outgoing proxy in Java 8u111

Atlassian Knowledge Base

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

You want to configure outgoing proxy for any Atlassian product and that proxy requires basic authentication. Assuming that username/pass is correct, but you are still getting error: 407 Proxy Authentication Required

See the stack-trace: 

java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
        at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2124)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)

Typical Java environment variables for proxy: 

-Dhttp.proxyUser=test -Dhttp.proxyPassword=ping -Dhttp.proxyHost=172.16.47.128 -Dhttp.proxyPort=8080 -Dhttps.proxyUser=test -Dhttps.proxyPassword=ping -Dhttps.proxyHost=172.16.47.128 -Dhttps.proxyPort=808

See related:

  • JRASERVER-65287 - Getting issue details... STATUS  
  • Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Diagnosis

Environment

  • Java version 8u111+

Diagnostic Steps

  • You can capture TCP session and you can see that Java doesn't send Proxy-Authorization header. Eg:

    CONNECT confluence.atlassian.com:443 HTTP/1.1
    User-Agent: Java/1.8.0_92
    Host: confluence.atlassian.com
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Proxy-Connection: keep-alive

Cause

In Java 8u111   Basic authentication for HTTPS tunneling was disabled by default.  

From  http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html

In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime .. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

Resolution

If you still want to use basic authentication for Proxy you can re-enable it. 

  • Add to Java environment:

    -Djdk.http.auth.tunneling.disabledSchemes=

Description

You want to configure an

outgoing proxy for any Atlassian product and that proxy requires basic authentication. Assuming that username/pass is correct, but you are still getting 
error: 407 Proxy Authentication Required
ProductJira, Confluence, Bitbucket, Bamboo, Fisheye, Crucible
PlatformServer
Last modified on Oct 11, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.