Skip to content

Enable JVM proxy system properties in Key Vault JCA HTTP client#49316

Open
waiet wants to merge 3 commits into
Azure:mainfrom
waiet:codex/keyvault-jca-system-proxy
Open

Enable JVM proxy system properties in Key Vault JCA HTTP client#49316
waiet wants to merge 3 commits into
Azure:mainfrom
waiet:codex/keyvault-jca-system-proxy

Conversation

@waiet

@waiet waiet commented May 29, 2026
edited
Loading

Copy link
Copy Markdown

Problem

Fixes #28801.

The Key Vault JCA provider uses an internal Apache HttpClient in HttpUtil instead of the standard Azure SDK HTTP pipeline. As a result, standard JVM proxy properties such as https.proxyHost, https.proxyPort, http.proxyHost, http.proxyPort, and http.nonProxyHosts were not honored when the provider was used behind a corporate proxy.

Solution

Configure the internal Apache HttpClient builder with useSystemProperties() while preserving the existing SSL/truststore connection manager behavior.

This PR also adds unit-level proxy coverage and documents a jarsigner proxy example using standard JVM system properties.

Testing

Added a unit test that sets http.proxyHost and http.proxyPort, serves a local proxy response, and verifies HttpUtil.get routes through the proxy. The test locks JVM system properties while it runs to avoid interference with parallel JUnit execution.

Validated with module-level tests:
mvn -f sdk/keyvault/azure-security-keyvault-jca/pom.xml -DskipITs -Dgpg.skip -Dspotbugs.skip -Drevapi.skip -Dspotless.skip=true -Dcodesnippet.skip=true -Djacoco.skip=true -DheapDumpOnOom= test

Result: 80 tests, 0 failures, 0 errors, 29 skipped.

The root mvn -pl sdk/keyvault/azure-security-keyvault-jca -DskipITs -Dgpg.skip -Dspotbugs.skip -Drevapi.skip test command could not run in this sparse checkout because the root POM references modules not present locally.

@github-actions github-actions Bot added Community Contribution Community members are working on the issue customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault labels May 29, 2026
@github-actions

github-actions Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution @waiet! We will review the pull request and get back to you soon.

@waiet

waiet commented May 29, 2026

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree company="IThink s. r. o."

@waiet waiet marked this pull request as ready for review May 29, 2026 21:38
@waiet waiet requested review from a team as code owners May 29, 2026 21:38
Copilot AI review requested due to automatic review settings May 29, 2026 21:38
@waiet waiet force-pushed the codex/keyvault-jca-system-proxy branch 4 times, most recently from ea872c2 to fda1379 Compare June 1, 2026 12:28
@waiet waiet marked this pull request as draft June 1, 2026 14:27
@waiet waiet marked this pull request as ready for review June 1, 2026 14:27
@waiet waiet force-pushed the codex/keyvault-jca-system-proxy branch 2 times, most recently from 670a55e to 310200d Compare June 1, 2026 21:05
@waiet

waiet commented Jun 1, 2026

Copy link
Copy Markdown
Author

Hi @moarychan , this PR adds support for standard JVM proxy system properties in the azure-security-keyvault-jca internal Apache HttpClient, The PR is ready for review when you have a chance. Thank you!

@waiet waiet force-pushed the codex/keyvault-jca-system-proxy branch 4 times, most recently from dfdc8f1 to cc98829 Compare June 3, 2026 03:47
@joachim-johansson

joachim-johansson commented Jun 4, 2026

Copy link
Copy Markdown

This change would be very helpful also for us. This is exactly what we need. We have tried the same change and had it our test environments for while now. Works well.

@waiet waiet force-pushed the codex/keyvault-jca-system-proxy branch from 4efd3b3 to aeb113b Compare June 4, 2026 21:29
@waiet waiet force-pushed the codex/keyvault-jca-system-proxy branch from aeb113b to 46a4f38 Compare June 8, 2026 20:28
@waiet

waiet commented Jun 8, 2026

Copy link
Copy Markdown
Author

This change would be very helpful also for us. This is exactly what we need. We have tried the same change and had it our test environments for while now. Works well.

It would be great, if this feature will be released in next version. But the PR is still waiting for review :-(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Community Contribution Community members are working on the issue customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault

Projects

Azure SDK for Key Vault
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] KeyVaultKeyStore fails to authenticate behind proxy

2 participants

@waiet @joachim-johansson