Skip to content

ApacheHttpClient Proxy Authentication fails #5884

Open
@urfuchs

Description

@urfuchs

Describe the bug

Proxy Authentification fails with Status 407 when Proxy requires preemptive authentication.

My code:

SdkHttpClient httpClient = ApacheHttpClient.builder()
    .proxyConfiguration(ProxyConfiguration.builder()
        .endpoint(URI.create("http://proxy.example.com"))
        .username("username")
        .password("password")
        .preemptiveBasicAuthenticationEnabled(true)
        .build())
    .build();

SnsClient snsClient = SnsClient.builder()
    .httpClient(httpClient)
    .credentialsProvider(credentials)
    .region(Region.EU_CENTRAL_1)
    .build();

A request sent by this client fails with 407 when the proxy requires preemptive authentication.
It works fine when the proxy does not.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

A request passes the proxy.

Current Behavior

software.amazon.awssdk.services.sns.model.SnsException: null (Service: Sns, Status Code: 407, Request ID: null)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:50)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:38)

Reproduction Steps

SdkHttpClient httpClient = ApacheHttpClient.builder()
    .proxyConfiguration(ProxyConfiguration.builder()
        .endpoint(URI.create("http://proxy.example.com"))
        .username("username")
        .password("password")
        .preemptiveBasicAuthenticationEnabled(true)
        .build())
    .build();

SnsClient snsClient = SnsClient.builder()
    .httpClient(httpClient)
    .credentialsProvider(credentials)
    .region(Region.EU_CENTRAL_1)
    .build();

PublishRequest request = PublishRequest.builder()
    .message("Greetings")
    .topicArn("arn:aws:sns:eu-central-1:account:topic")
    .build();

PublishResponse publishResult = snsClient.publish(request);

Possible Solution

I found a possible reason in software.amazon.awssdk.http.apache.internal.utils.ApacheUtils.

The method addPreemptiveAuthenticationProxy contains:

BasicScheme basicAuth = new BasicScheme();
authCache.put(targetHost, basicAuth);

I added a challenge and now it works:

BasicScheme basicAuth = new BasicScheme();
basicAuth.processChallenge(new BasicHeader(AUTH.PROXY_AUTH, "BASIC realm=default"));
authCache.put(targetHost, basicAuth);

Additional Information/Context

No response

AWS Java SDK version used

2.30.17

JDK version used

openjdk version "21.0.4" 2024-07-16 LTS

Operating System and version

Linux rodeoarch 6.12.4-arch1-1

Activity

added
bugThis issue is a bug.
needs-triageThis issue or PR still needs to be triaged.
on Feb 17, 2025
removed
needs-triageThis issue or PR still needs to be triaged.
on Mar 5, 2025
self-assigned this
on Mar 5, 2025
added
p2This is a standard priority issue
on Mar 5, 2025
pilec

pilec commented on Mar 20, 2025

@pilec

Thank you a lot! I headed into completely the same issue and your resolution fix that.

added a commit that references this issue on Mar 20, 2025
bhoradc

bhoradc commented on May 13, 2025

@bhoradc

Hello @urfuchs,

Thank you for reporting the issue. I am able to reproduce the problem with preemptiveBasicAuthenticationEnabled, when set to true, the SDK tries to authenticate without proper proxy challenge processing.

With the current standard HTTP authentication flow, the SDK is sending the Authorization header instead of Proxy-Authorization. We'll look into this further.

Regards,
Chaitanya

added
needs-reviewThis issue or PR needs review from the team.
and removed
needs-reviewThis issue or PR needs review from the team.
on May 13, 2025
removed their assignment
on May 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue is a bug.p2This is a standard priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @pilec@urfuchs@bhoradc

      Issue actions

        ApacheHttpClient Proxy Authentication fails · Issue #5884 · aws/aws-sdk-java-v2