[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed
Artem Smotrakov
artem.smotrakov at oracle.com
Wed Oct 7 11:19:41 UTC 2015
Hello,
Please review this for 9.
According to [1], an HTTP client should try to use another HTTP
authentication scheme if negotiate process failed for some reason, and a
user didn't specify SPNEGO or Kerberos in "http.auth.preference" system
property. But no fallback happens if, for example:
- an HTTP server supports both Negotiate (via Kerberos) and Basic
authentication schemes
- first, a user provides correct Kerberos credentials, and a connection
is successfully established with Negotiate scheme
- then, a user provides wrong Kerberos credentials, but correct Basic
credentials
This fix updates HttpURLConnection to try another authentication scheme
negotiate process failed, and SPNEGO and Kerberos schemes are not
preferred. The fix may be shorter, for example:
if ( serverAuthentication != null || inNegotiate &&
!"negotiate".equals(AuthenticationHeader.authPref)) {
, but I thought that some logging might be helpful.
Also added a test which checks this and a couple of other scenarios work
fine.
Bug: https://bugs.openjdk.java.net/browse/JDK-8138953
Webrev: http://cr.openjdk.java.net/~asmotrak/8138953/webrev.00/
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/net/http-auth.html
Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151007/cedd5c4a/attachment.html>
More information about the net-dev
mailing list