Community
Participate
Working Groups
Build Identifier: Version: Indigo Release Build id: 20110615-0604 I have a strange behavior in Eclipse with differnt plugins like BIRT. When a plugin is using a URLConnection to a server with a secured URL, in the past Eclipse automatically shows up a login dialog to perform Basic Authentication with the server. This seems to be a feature from Eclipse platform implemented through the extension point org.eclipse.equinox.security.loginModule. I know about this behavior, because I have implemented my own plugin with a custom login dialog. And if the user give me wrong user/password then the eclipse login dialog pops up automatically. So from the view of a plugin it is sufficient to provide a code like this: Code: .... urlConnection = (HttpURLConnection) new URL(myURL) .openConnection(); urlConnection.setRequestMethod("GET"); urlConnection.setDoOutput(true); urlConnection.setDoInput(true); urlConnection.setAllowUserInteraction(false); urlConnection.connect(); ..... No special handling was necessary. If the URL returns an 401, then the eclipse login dialog appears automatically. You can test this behavior also in the BIRT Plugin when creating a DataSet based on a XML URL. BIRT has no implementation for username/password for XML URLs. But for some strange reasons this dialog did not longer appear in some clients after the EGit Plugin was installed. After I have reverted a Eclipse IDE into a setup without the Egit Plugin the internal login dialog appears again. Can anybody check if EGit makes use of the extension point "org.eclipse.equinox.security.loginModule"? Tested with Eclipse EGit 1.1.0.201109151100-r Reproducible: Always Steps to Reproduce: 1.start Eclipse without EGit Plugin 2.create BIRT Report with a XML DataSet based on a URL from a secured server resource 3.Log into the server by giving userid/password into the standard login dialog 4.Install EGit Plugin 5.create BIRT Report with a XML DataSet based on a URL from a secured server resource - No Login dialog will apear. ok - mybe this is a little bit cumbersome. So you can test it with a debug code where you setup an URL Connection to a secured resource: urlConnection = (HttpURLConnection) new URL("http://....some_url_with_basic_authentication...") .openConnection(); urlConnection.setRequestMethod("GET"); urlConnection.setDoOutput(true); urlConnection.setDoInput(true); urlConnection.setAllowUserInteraction(false); urlConnection.connect();
> Can anybody check if EGit makes use of the extension point > "org.eclipse.equinox.security.loginModule"? I couldn't find "org.eclipse.equinox.security.loginModule" in EGit or JGit sources. Also plugin search didn't find any references to this extension point in the workspace I use for JGit and EGit development.
Is there anyone how can confirm this behavior?
I can confirm this bug on BIRT using Indigo Service Release 2 Build is: 20120216-1857 I had the same issue when using a XML data source, deleted the egit plugin to test, and the authentication dialog then was able to show up.
I also can confirm this issue, I was using Eclipse 3.8, not sure what version of egit, but I believe it was the latest (3.1).
(In reply to Daniel Johnson from comment #4) > I also can confirm this issue, I was using Eclipse 3.8, not sure what > version of egit, but I believe it was the latest (3.1). can you provide steps to reproduce ?
The problem is that BIRT did not provide any way to enter a user name and password for a XML Data URL. There is no need to reproduce this - You can see it if you try to add a XML Data URL.
(In reply to Ralph Soika from comment #6) > The problem is that BIRT did not provide any way to enter a user name and > password for a XML Data URL. > > There is no need to reproduce this - You can see it if you try to add a XML > Data URL. but I have no clue how to do that and what I need to install first
In my case I have a plugin for Eclipse that calls for a config file stored in secure SVN (https url). Without eGit installed when I execute the code to get the input stream from the URL it automatically prompts for user authentication. With eGit installed it throws a '401 Unauthorized Access' IOException and never asks for authentication. This API works with many types of URLs (http://, https://, file://, etc.). Note in the case of https that I am setting a blank Certifificate manager and accepting connections to all hosts. Matthias, you should be able to use this code on any URL requiring authentication to reproduce the issue. public static InputStream getRemoteInputStream(URL url) throws Exception { URLConnection conn = url.openConnection(); if (conn instanceof HttpsURLConnection) { // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted(X509Certificate[] certs, String authType) { } public void checkServerTrusted(X509Certificate[] certs, String authType) { } } }; SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HostnameVerifier allHostsValid = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return true; } }; ((HttpsURLConnection) conn).setHostnameVerifier(allHostsValid); ((HttpsURLConnection) conn).setSSLSocketFactory(sc.getSocketFactory()); } conn.setAllowUserInteraction(true); conn.connect(); return conn.getInputStream(); }
Created attachment 244166 [details] Default Eclipse Password Prompt
I checked out the source and found that eGit is overriding the default Eclipse Authenticator implementation with a new Authenticator. At startup org.eclipse.egit.ui.Activator.setupProxy(final BundleContext context); calls java.net.Authenticator.setDefault(new EclipseAuthenticator()) . The java.net.Authenticator only allows one default, and Eclipse already had set a default in org.eclipse.core.internal.net.ProxyManager.registerAuthenticator() of type org.eclipse.ui.internal.net.auth.NetAuthenticator. So when eGit loads it is overriding this default, no longer allowing applications to make use of the default authentication service. Without egit installed any application code that tries to connect to a secure address will receive a dialog prompt from NetAuthenticator (attached password_prompt.png), however the egit EclipseAuthenticator implementation simply returns null authentication for any request, unless a proxy is configured in Eclipse, than it will return that authentication information instead. Can someone explain why egit needs a new default Authenticator.
*** Bug 377347 has been marked as a duplicate of this bug. ***
In my expirance this bug did not longer exits since 'Juno' version.
(In reply to Daniel Johnson from comment #10) > I checked out the source and found that eGit is overriding the default > Eclipse Authenticator implementation with a new Authenticator. At startup > org.eclipse.egit.ui.Activator.setupProxy(final BundleContext context); calls > java.net.Authenticator.setDefault(new EclipseAuthenticator()) . The > java.net.Authenticator only allows one default, and Eclipse already had set > a default in > org.eclipse.core.internal.net.ProxyManager.registerAuthenticator() of type > org.eclipse.ui.internal.net.auth.NetAuthenticator. So when eGit loads it is > overriding this default, no longer allowing applications to make use of the > default authentication service. > > Without egit installed any application code that tries to connect to a > secure address will receive a dialog prompt from NetAuthenticator (attached > password_prompt.png), however the egit EclipseAuthenticator implementation > simply returns null authentication for any request, unless a proxy is > configured in Eclipse, than it will return that authentication information > instead. > > Can someone explain why egit needs a new default Authenticator. thanks for the detailed analysis, I think we can simply remove this code I pushed a fix for review https://git.eclipse.org/r/#/c/28411/
Thanks Matthias. Any chance this will make it in time for Luna release? I don't think there is anything I can do to help it progress, but let me know if there is.
no chance for Luna since the final build was done last week on Wednesday and this bug for sure doesn't qualify as a showstopper for the release train
*** Bug 432008 has been marked as a duplicate of this bug. ***
[Batch change] Remove pre-3.7 Target Milestones If anyone on CC list is going to fix/implement this, please assign a new 3.7+ target milestone.
(In reply to Matthias Sohn from comment #13) > thanks for the detailed analysis, I think we can simply remove this code > I pushed a fix for review > https://git.eclipse.org/r/#/c/28411/ Matthias, is there any chance this can be merged? It would be great if we could have this bug fixed for Mars.1 (a.k.a. Mars SR1).
(In reply to Daniel Johnson from comment #10) > So when eGit loads it is > overriding this default, no longer allowing applications to make use of the > default authentication service. That is bad. However, applications can always override default authentication service (like egit). Not that it is nice thing, but at least there is a workaround. > Without egit installed any application code that tries to connect to a > secure address will receive a dialog prompt from NetAuthenticator (attached > password_prompt.png), however the egit EclipseAuthenticator implementation > simply returns null authentication for any request, unless a proxy is > configured in Eclipse, than it will return that authentication information > instead. > > Can someone explain why egit needs a new default Authenticator. Looking on the code of NetAuthenticator vs EclipseAuthenticator the reason was to *reuse* proxy authentication settings from Eclipse (all big companies are sitting behind proxies), however this makes users who are NOT behind proxy with zero chances to get authentication :-( @Shawn: since the code was initially contributed by you: do you have any idea why the code was originally added? I think better solution would be not simply remove that EclipseAuthenticator thing but enhance it: get (via reflection) the previous Authenticator (if any) and redirect the getPasswordAuthentication() calls to it if there is no proxy for given host configured in Eclipse. Additionally the original NetAuthenticator implementation should be improved by the code from EclipseAuthenticator, so that egit could later completely remove that piece of code.
New Gerrit change created: https://git.eclipse.org/r/54374
pushed a new change for stable-4.0 following Andrey's suggestion which delegates to NetAuthenticator if proxy has no configuration
(In reply to Matthias Sohn from comment #21) > pushed a new change for stable-4.0 following Andrey's suggestion which > delegates to NetAuthenticator if proxy has no configuration Matthias, will you create a follow up task for NetAuthenticator?
(In reply to Andrey Loskutov from comment #22) > (In reply to Matthias Sohn from comment #21) > > pushed a new change for stable-4.0 following Andrey's suggestion which > > delegates to NetAuthenticator if proxy has no configuration > > Matthias, will you create a follow up task for NetAuthenticator? do you know which is the platform component and git repository owning the source for NetAuthenticator ? Then I could contribute the enhancement right away.
(In reply to Matthias Sohn from comment #23) > (In reply to Andrey Loskutov from comment #22) > > (In reply to Matthias Sohn from comment #21) > > > pushed a new change for stable-4.0 following Andrey's suggestion which > > > delegates to NetAuthenticator if proxy has no configuration > > > > Matthias, will you create a follow up task for NetAuthenticator? > > do you know which is the platform component and git repository owning the > source for NetAuthenticator ? Then I could contribute the enhancement right > away. https://git.eclipse.org/c/platform/eclipse.platform.team.git/ See also bug 196780, bug 312228 and bug 318173.
