Trying to acccess an API outside the firewall so we are going through a proxy server but the issue is that this causes HttpURLConnection to drop any set request headers for the URL.
Setup is simple
static {
System.setProperty("java.net.useSystemProxies", "true"); //use proxy on windows machine
System.setProperty("javax.net.ssl.trustStore", "trust file"); // for SSL
System.setProperty("javax.net.ssl.trustStorePassword=", "password");// for SSL
}
Code is as follows
URL obj = new URL(URL);
HttpURLConnection con = (HttpURLConnection) obj.openConnection();//proxy);
con.setRequestMethod("GET");
con.setRequestProperty("token","MYTOKEN");
int responseCode = con.getResponseCode();
The response returns a 403 forbidden error becasue it is n0t getting the set token. This is not the same as the auth bug which is similar but is due to a specific header i believe.
The issue occurs in HttpURLConnection where the getReponseCode() initiates a connection. It tries to retrieve the inputstream but needs to connect() to do this.
In connect() in DelegateHttpsURLConnection it does a plainConnect() to return the proxy selector, however in that method we get to doTunneling() which is necesary for the proxy.
in that method there are two lines
MessageHeader savedRequests = requests;
requests = new MessageHeader();
this moves the headers you set into a temporary object since they are not meant for the proxy server. it calls proxiedConnect(url, proxyHost, proxyPort, false); and connects to the proxy.
it then goes to sendCONNECTRequest() but now the headers are not present and the call fails.
I have to think that many people are using SSL over proxy for similar services, how is this not a bigger issue?
Tried various permutations of the the calls and also tried -Djdk.http.auth.tunneling.disabledSchemes="" but I think this has to do with Basic authentication but is a similar issue.
Everything ends up in the same state with the server returning a Forbidden error