How Does Neo4j Browser interact with Neo4j Server?

Starting with Neo4j 3.2, the Neo4j Browser only supports Bolt connectivity to the Neo4j Server. This requires that the network
allows for socket communication between the browser and Bolt Port specified on the Neo4j Server.
To see if your network allows for websockets one can use http://www.websocket.org/echo.html

If websockets are not allowed on your network, when attempting to authenticate via the Neo4j browser at http://localhost:7474 the
following error will be logged

ServiceUnavailable: WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not 
available to this Neo4j Driver. Please use your browsers development console to determine the root cause of the failure. Common reasons
include the database being unavailable, using the wrong connection URL or temporary network problems. If you have enabled encryption,
ensure your browser is configured to trust the certificate Neo4j is configured to use. WebSocket `readyState` is: 3

Additionally to allow for remote browser connections your $NEO4J_HOME/conf/neo4j.conf needs to be configured as

# To have Bolt accept non-local connections, uncomment this line:
dbms.connector.bolt.address=0.0.0.0:7687

Below is the communication process between the Neo4j Browser and Neo4j Server:

  • The Browser does one HTTP call on startup:

    GET / HTTP/1.1
    Host: :7474
    Content-Type: application/json

  • This request is there only to ask Neo4j what the Bolt URL is (configurable on the server with dbms.connectors.default_advertised_address).
    After that request the Browser tries to connect to the server over Bolt without credentials. This is for two reasons:

  • When the response comes back, we know if auth is enabled or not
  • If connection is successful, update app state to reflect that no credentials are needed to connect
  • If the first connection attempt is unsuccessful the Browser checks if there are any login credentials stored in the web browsers localstorage. If there is, the Browser tries to connect with them

    • If successful, all good.
    • If unsuccessful, give up and prompt the user for connection credentials
  • So, as a diagram this would look something like

  • Seq 0

    Client === GET ==> Neo4j (HTTP 7474) Ask for Bolt connection URL
    Client <== Resp === Neo4j (HTTP 7474)

  • Seq 1

    Client === Bolt ==> Neo4j (WS 7687) without auth credentials

  • Alternate 1.1

    Client <== Resp (success) === Neo4j (WS 7687)
    (Success, stop)

  • Alternate 1.2

    Client <== Resp (no success) === Neo4j (WS 7687)
    (No success, goto Seq 2)

  • Seq 2

    Client === Bolt ==> Neo4j (WS 7687) with auth credentials

  • Alternate 2.1

    Client <== Resp (success) === Neo4j (WS 7687)
    (Success, stop)

  • Alternate 2.2

    Client <== Resp (no success) === Neo4j (WS 7687)
    (No success, prompt user for credentials)

Note you will end up at the same page prompting for credentials both when you have invalid credentials and/or when you are unable to connect via Bolt, so it's important to check both possible causes if you're unable to connect.