SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001683: Java JRE and NTLM auth - MantisBT
MantisBT - Endian Firewall
View Issue Details
0001683Endian FirewallProxy HTTPpublic2009-03-17 12:552009-11-25 17:35
bonald 
simon-endian 
normalminoralways
acknowledgedopen 
2.2-rc3 
future 
0001683: Java JRE and NTLM auth
Java JRE applications are not working when using Squid with NTLM auth.

Quick workaround is to add these lines to squid.conf.tmpl around line 298
#Java JRE no-auth
acl java_jvm browser Java/1.4 Java/1.5 Java/1.6
http_access allow java_jvm
http_reply_access allow java_jvm
always_direct allow java_jvm

It won't work using the custom.tmpl because it put itself under the authentication rules.

purple
Issue History
2009-03-17 12:55bonaldNew Issue
2009-03-17 12:55bonaldAssigned To => simon-endian
2009-03-17 12:59bonaldNote Added: 0002053
2009-04-21 08:46luca-endianNote Added: 0002173
2009-04-21 08:56simon-endianNote Added: 0002176
2009-04-21 18:05mike-fNote Added: 0002187
2009-04-21 18:21mike-fNote Edited: 0002187
2009-04-23 15:53luca-endianTag Attached: purple
2009-05-13 12:44luca-endianNote Added: 0002330
2009-05-14 08:05luca-endianNote Added: 0002333
2009-05-14 08:06luca-endianNote Edited: 0002333
2009-05-14 08:33luca-endianNote Edited: 0002176
2009-05-14 11:14bonaldNote Added: 0002338
2009-06-08 15:05simon-endianStatusnew => acknowledged
2009-06-09 23:06mike-fNote Added: 0002544
2009-06-10 08:26luca-endianNote Added: 0002545
2009-11-25 17:35peter-endianTarget Version => future

Notes
(0002053)
bonald   
2009-03-17 12:59   
This is nicer:
acl java_jvm browser Java/[0-9]
(0002173)
luca-endian   
2009-04-21 08:46   
this doesn't happen with all applets.. why??
(0002176)
simon-endian   
2009-04-21 08:56   
(edited on: 2009-05-14 08:33)
found this on the squid mailinglist:

www.mail-archive.com/squid-users@squid-cache.org/msg58201.html

seams that some javaapplets try to access the inet while starting without authentication.
because of this squid denies the access for the first try (no auth used by java applet). this
causes the java applet to be denied permenently by squid.

looks like the only solution is to whitelist the url or the useragent from authentication :-(

(0002187)
mike-f   
2009-04-21 18:05   
(edited on: 2009-04-21 18:21)
do you have the same problem when changing to

LDAP -> ActiveDirectory Auth?


is this a specific java-version which doesn't want to work?

As in the mentioned mailing-list the remote-server is on port 443 (https)
is this the same in your situation?
do you have any public sites you can provide as an example?

maybe "basic" together with "ntlm" might resolve the prob as described here:
//www.mail-archive.com/squid-users@squid-cache.org/msg04962.html">http://www.mail-archive.com/squid-users@squid-cache.org/msg04962.html [//www.mail-archive.com/squid-users@squid-cache.org/msg04962.html" target="_blank">^]

(0002330)
luca-endian   
2009-05-13 12:44   
It's possible to have an url to one of that "guilty" applet for debugging purpose?
(0002333)
luca-endian   
2009-05-14 08:05   
(edited on: 2009-05-14 08:06)
Can someone confirm that the workaround works?

(0002338)
bonald   
2009-05-14 11:14   
The workaround works for me. I would like to provide you with the guilty URL but I can't, login/password required...
(0002544)
mike-f   
2009-06-09 23:06   
if it's only a single url i would whitelist it

opening access for ALL Java* might give some unnamed/undocumented sec-issues
(0002545)
luca-endian   
2009-06-10 08:26   
Yes it's true but it's such an annoying problem.. maybe a sysadmin just want to solve it forever.