• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Accessing Java Applets without sacrificing security

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> Accessing Java Applets without sacrificing security Page: [1]
Login
Message << Older Topic   Newer Topic >>
Accessing Java Applets without sacrificing security - 31.Oct.2006 8:31:19 AM   
jcanfer

 

Posts: 20
Joined: 31.Oct.2006
Status: offline
The best place to start is that I'm trying to troubleshoot an ISA Server 2004 issue for some of our customers.

We provide a service via the web and part of the content we deliver uses a Java Applet.  For the most part it work fine through an ISA 2004 Proxy, apart from one single, but crucial function.  Said function fails to work if their access rule for HTTPS has a condition that defines a a group of users other than All Users.

The way around it, is to create a specific access rule, with a specific URL as the destination over port 443 for all users.  Understandably some of our customers are unhappy about having to put an anonymous access rule into their policy.

Now I've got chapter and verse from our developers as to how the Java Applet works, but I cannot believe that our issue is isolated.

Has anyone else found a way around similar issues?

Many thanks

Post #: 1
RE: Accessing Java Applets without sacrificing security - 12.Dec.2006 10:08:11 AM   
celliott3434

 

Posts: 9
Joined: 7.Dec.2006
Status: offline
I have had the same problem.  It is my understanding that this is a common issue with running Java over port 443.  The work around that you are using is the solution that we have been using.  Our consultant indicated that this "feature/flaw" of Java was a known issue.  Hope this is of some use.

Chad

(in reply to jcanfer)
Post #: 2
RE: Accessing Java Applets without sacrificing security - 12.Dec.2006 10:44:43 AM   
celliott3434

 

Posts: 9
Joined: 7.Dec.2006
Status: offline
Here is what I have been able to find out:

Java runs as an anonymous user.  If you log your session, when you attempt to access the SSL site, you will see that the username is anonymous.  Since your access rules are based on users/groups being allowed access, java is blocked since it is using the anonymous user.  That would explain why it works when the rule is set to allow all users.  Hope this helps.

Chad

(in reply to celliott3434)
Post #: 3
RE: Accessing Java Applets without sacrificing security - 24.Feb.2007 6:27:56 PM   
adenhaan

 

Posts: 36
Joined: 15.Jul.2005
Status: offline
Sun JVM does NOT support integrated (NTLM) authentication. If you set your listener to Basic authentication only (is safe because you state you're using SSL) then you can appy the rule to something else than "all users".
Yes, JVM will first try as anonymous, but will correctly respond to reply from ISA to authenticate.
I'm on ISA 2006 and have it working. Would imagine it will work on 2004 as well but have no means to verify that right now.

Only downside is that users get prompted for Userid/PW twice (once by browser, once by JVM) Have not found a way around that yet.

G'luck, Andre.

(in reply to jcanfer)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Cache] >> General >> Accessing Java Applets without sacrificing security Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts