Topics

Built-in proxy support in Client API?


Andy McCright
 

Hi all,
 
It might be too late to add this (if so, no worries), but I've been running into a few customer situations where customers are using HTTP/HTTPS proxy servers with their JAX-RS client APIs.  Today, proxy support is enabled, but requires vendor-specific properties.  Would it make sense to add some methods to ClientBuilder/Client/Configurable like proxyHost(String), proxyPort(int), proxyBasicAuth(String user, byte[] password), etc.?
 
Here is a relevant issue where this was previously discussed: https://github.com/jax-rs/api/issues/497
 
Thanks,
 
Andy
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...


Dennis Kieselhorst
 

Hi,

in my view there should be at least standardized constants for the properties in 2.1. I created a PR for the timeout stuff yesterday: https://github.com/jax-rs/api/pull/555

These properties can be used by convenience methods in ClientBuilder.

I can also create a PR for the proxy constants if the solution is agreed.

Regards

Dennis


Pavel Bucek
 

Hi Dennis,

thanks for the pull request; please don't hijack the topic - this one is about client proxy support. Feel free to start a new thread.

Regards,
Pavel


On 21/05/2017 11:05, Dennis Kieselhorst wrote:

Hi,

in my view there should be at least standardized constants for the properties in 2.1. I created a PR for the timeout stuff yesterday: https://github.com/jax-rs/api/pull/555

These properties can be used by convenience methods in ClientBuilder.

I can also create a PR for the proxy constants if the solution is agreed.

Regards

Dennis



Dennis Kieselhorst
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis


Andy McCright
 

Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 

----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis

 


Pavel Bucek
 

Hi Andy, Dennis,

proxy port and proxy host can be already be defined by java property (http.proxyHost and http.proxyPort).

I'm not sure whether we can add proxy auth schemes at this point - if we'd start talking about security, wouldn't make sense to add auth support for standard client invocations?

Regards,
Pavel


On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis

 



Andy McCright
 

Hi Pavel,
 
The java properties will specify proxy host/port for the entire JVM.  Some of my customers are using JAX-RS clients in hybrid cloud environments where they may need a proxy server to access certain endpoints but not others - so they really need a per-client solution.  We can provide that per-client solution with a vendor-specific property, but then it is no longer portable.
 
I'm fine if we want to push this out to the next rev of JAX-RS though.  I think it is an important issue, but not worth holding up the spec's release.
 
Thanks,
 
Andy 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 

----- Original message -----
From: "Pavel Bucek" <pavel.bucek@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Thu, May 25, 2017 3:08 PM
 

Hi Andy, Dennis,

proxy port and proxy host can be already be defined by java property (http.proxyHost and http.proxyPort).

I'm not sure whether we can add proxy auth schemes at this point - if we'd start talking about security, wouldn't make sense to add auth support for standard client invocations?

Regards,
Pavel

 
On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis

 
 
 


Sergey Beryozkin
 

Hi Andy, Pavel

Would it make sense to consider extending the security related part of the API a bit ?
It already has some methods for setting up HTTPS the portable way.

Cheers, Sergey

On 25/05/17 22:35, Andy McCright wrote:
Hi Pavel,
 
The java properties will specify proxy host/port for the entire JVM.  Some of my customers are using JAX-RS clients in hybrid cloud environments where they may need a proxy server to access certain endpoints but not others - so they really need a per-client solution.  We can provide that per-client solution with a vendor-specific property, but then it is no longer portable.
 
I'm fine if we want to push this out to the next rev of JAX-RS though.  I think it is an important issue, but not worth holding up the spec's release.
 
Thanks,
 
Andy 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Pavel Bucek" <pavel.bucek@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Thu, May 25, 2017 3:08 PM
 

Hi Andy, Dennis,

proxy port and proxy host can be already be defined by java property (http.proxyHost and http.proxyPort).

I'm not sure whether we can add proxy auth schemes at this point - if we'd start talking about security, wouldn't make sense to add auth support for standard client invocations?

Regards,
Pavel

 
On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis

 
 
 



Pavel Bucek
 

Hi Sergey, Andy, Dennis, all,

it would definitely make sense, but there are always issues when you need to provide credentials.

Since JAX-RS client is generally an object, which should be retained for a "long time", it doesn't make sense to have credentials stored within it (you can access multiple resources (targets) with it and they could have different security requirements. So we would need to introduce something like credentials provider / store, which would return credentials per request (based on host, port, path, ...).

Then there are multiple authentication mechanisms - which ones should we support? Basic and Digest are no-brainers, but should we have it in the API? It is already very simple to implement those using request filters. Then, when we start with security, OAuth users will start to request OAuth support (which makes perfect sense and I'd like to see it on the client), but that's completely different set of APIs...

I mean - as I mentioned - I'd be all for introducing better security support for the client. But it feels like "just another security api"; ideally, we'd just integrate with something which is already available, unfortunately that's not the case. Look around for other clients from Java EE. Supporting any security (other than certificate based / https) is rare. I would hope that separate security spec would provide guidance and ideally an API to integrate with, but that did not happen yet.

As I don't like to use the phrase "sorry, it's already too late", it almost seems that it is appropriate here.

Best regards,
Pavel


On 25/05/2017 23:48, Sergey Beryozkin wrote:
Hi Andy, Pavel

Would it make sense to consider extending the security related part of the API a bit ?
It already has some methods for setting up HTTPS the portable way.

Cheers, Sergey
On 25/05/17 22:35, Andy McCright wrote:
Hi Pavel,
 
The java properties will specify proxy host/port for the entire JVM.  Some of my customers are using JAX-RS clients in hybrid cloud environments where they may need a proxy server to access certain endpoints but not others - so they really need a per-client solution.  We can provide that per-client solution with a vendor-specific property, but then it is no longer portable.
 
I'm fine if we want to push this out to the next rev of JAX-RS though.  I think it is an important issue, but not worth holding up the spec's release.
 
Thanks,
 
Andy 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Pavel Bucek" <pavel.bucek@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Thu, May 25, 2017 3:08 PM
 

Hi Andy, Dennis,

proxy port and proxy host can be already be defined by java property (http.proxyHost and http.proxyPort).

I'm not sure whether we can add proxy auth schemes at this point - if we'd start talking about security, wouldn't make sense to add auth support for standard client invocations?

Regards,
Pavel

 
On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis

 
 
 




Sergey Beryozkin
 

Hi Pavel

While it is indeed the case there are many authentication options against the target, I wonder how many options are there when we are talking about the HTTP proxies ? I've only ever used a name and password :-).

Does anyone know if a scheme other than Basic has ever been used in practice for Proxy-Authentication ?

Thanks, Sergey

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate 

On 26/05/17 07:06, Pavel Bucek wrote:

Hi Sergey, Andy, Dennis, all,

it would definitely make sense, but there are always issues when you need to provide credentials.

Since JAX-RS client is generally an object, which should be retained for a "long time", it doesn't make sense to have credentials stored within it (you can access multiple resources (targets) with it and they could have different security requirements. So we would need to introduce something like credentials provider / store, which would return credentials per request (based on host, port, path, ...).

Then there are multiple authentication mechanisms - which ones should we support? Basic and Digest are no-brainers, but should we have it in the API? It is already very simple to implement those using request filters. Then, when we start with security, OAuth users will start to request OAuth support (which makes perfect sense and I'd like to see it on the client), but that's completely different set of APIs...

I mean - as I mentioned - I'd be all for introducing better security support for the client. But it feels like "just another security api"; ideally, we'd just integrate with something which is already available, unfortunately that's not the case. Look around for other clients from Java EE. Supporting any security (other than certificate based / https) is rare. I would hope that separate security spec would provide guidance and ideally an API to integrate with, but that did not happen yet.

As I don't like to use the phrase "sorry, it's already too late", it almost seems that it is appropriate here.

Best regards,
Pavel


On 25/05/2017 23:48, Sergey Beryozkin wrote:
Hi Andy, Pavel

Would it make sense to consider extending the security related part of the API a bit ?
It already has some methods for setting up HTTPS the portable way.

Cheers, Sergey
On 25/05/17 22:35, Andy McCright wrote:
Hi Pavel,
 
The java properties will specify proxy host/port for the entire JVM.  Some of my customers are using JAX-RS clients in hybrid cloud environments where they may need a proxy server to access certain endpoints but not others - so they really need a per-client solution.  We can provide that per-client solution with a vendor-specific property, but then it is no longer portable.
 
I'm fine if we want to push this out to the next rev of JAX-RS though.  I think it is an important issue, but not worth holding up the spec's release.
 
Thanks,
 
Andy 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Pavel Bucek" <pavel.bucek@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Thu, May 25, 2017 3:08 PM
 

Hi Andy, Dennis,

proxy port and proxy host can be already be defined by java property (http.proxyHost and http.proxyPort).

I'm not sure whether we can add proxy auth schemes at this point - if we'd start talking about security, wouldn't make sense to add auth support for standard client invocations?

Regards,
Pavel

 
On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis

 
 
 





Pavel Bucek
 

Hi Sergey,

I recall getting a requests for supporting NTLM/Kerberos and maybe one other scheme - something related to ldap..

Regards,
Pavel


On 26/05/2017 11:42, Sergey Beryozkin wrote:
Hi Pavel

While it is indeed the case there are many authentication options against the target, I wonder how many options are there when we are talking about the HTTP proxies ? I've only ever used a name and password :-).

Does anyone know if a scheme other than Basic has ever been used in practice for Proxy-Authentication ?

Thanks, Sergey

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate 
On 26/05/17 07:06, Pavel Bucek wrote:

Hi Sergey, Andy, Dennis, all,

it would definitely make sense, but there are always issues when you need to provide credentials.

Since JAX-RS client is generally an object, which should be retained for a "long time", it doesn't make sense to have credentials stored within it (you can access multiple resources (targets) with it and they could have different security requirements. So we would need to introduce something like credentials provider / store, which would return credentials per request (based on host, port, path, ...).

Then there are multiple authentication mechanisms - which ones should we support? Basic and Digest are no-brainers, but should we have it in the API? It is already very simple to implement those using request filters. Then, when we start with security, OAuth users will start to request OAuth support (which makes perfect sense and I'd like to see it on the client), but that's completely different set of APIs...

I mean - as I mentioned - I'd be all for introducing better security support for the client. But it feels like "just another security api"; ideally, we'd just integrate with something which is already available, unfortunately that's not the case. Look around for other clients from Java EE. Supporting any security (other than certificate based / https) is rare. I would hope that separate security spec would provide guidance and ideally an API to integrate with, but that did not happen yet.

As I don't like to use the phrase "sorry, it's already too late", it almost seems that it is appropriate here.

Best regards,
Pavel


On 25/05/2017 23:48, Sergey Beryozkin wrote:
Hi Andy, Pavel

Would it make sense to consider extending the security related part of the API a bit ?
It already has some methods for setting up HTTPS the portable way.

Cheers, Sergey
On 25/05/17 22:35, Andy McCright wrote:
Hi Pavel,
 
The java properties will specify proxy host/port for the entire JVM.  Some of my customers are using JAX-RS clients in hybrid cloud environments where they may need a proxy server to access certain endpoints but not others - so they really need a per-client solution.  We can provide that per-client solution with a vendor-specific property, but then it is no longer portable.
 
I'm fine if we want to push this out to the next rev of JAX-RS though.  I think it is an important issue, but not worth holding up the spec's release.
 
Thanks,
 
Andy 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Pavel Bucek" <pavel.bucek@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Thu, May 25, 2017 3:08 PM
 

Hi Andy, Dennis,

proxy port and proxy host can be already be defined by java property (http.proxyHost and http.proxyPort).

I'm not sure whether we can add proxy auth schemes at this point - if we'd start talking about security, wouldn't make sense to add auth support for standard client invocations?

Regards,
Pavel

 
On 25/05/2017 20:36, Andy McCright wrote:
Yeah, I think that makes sense.  So maybe instead of new methods on the Client/ClientBuilder we could add the following properties to Client:
 
public static final String PROXY_HOST_PROPERTY = "javax.ws.rs.client.http.proxy.host";
public static final String PROXY_PORT_PROPERTY = "javax.ws.rs.client.http.proxy.port";
public static final String PROXY_BASIC_AUTH_USERNAME_PROPERTY = "javax.ws.rs.client.http.proxy.auth.username";
public static final String PROXY_BASIC_AUTH_PASSWORD_PROPERTY = "javax.ws.rs.client.http.proxy.auth.password";
 
 
Assuming we have consensus, do we want to add this as part of Dennis's pull request[1], or should I create a new one?
 
Thanks,
 
Andy
 
 


J. Andrew McCright
IBM WebSphere Development
+1 507 253 7448
TL 553-7448
andymc@...
 
 
----- Original message -----
From: "Dennis Kieselhorst" <deki@...>
Sent by: jaxrs-spec@javaee.groups.io
To: jaxrs-spec@javaee.groups.io
Cc:
Subject: Re: [jaxrs] Built-in proxy support in Client API?
Date: Mon, May 22, 2017 2:01 AM
 

Hi Pavel,

I don't want to hijack the topic, I'm just saying that we can handle both cases in a common way.

Regards
Dennis