[9] RFR 8138953: HttpURLConnection doesn't fallback to another auth scheme if negotiate process failed
Artem Smotrakov
artem.smotrakov at oracle.com
Fri Oct 16 15:08:28 UTC 2015
Hi Max,
Please see inline.
On 10/16/2015 05:18 AM, Wang Weijun wrote:
> Let's go back to the bug description:
>
> But no fallback happens if:
>
> 1. an HTTP server supports both Negotiate (via Kerberos) and Basic authentication schemes
> 2. first, a user provides correct Kerberos credentials, and a connection is successfully established with Negotiate scheme
> 3. then, a user provides wrong Kerberos credentials, but correct Basic credentials
>
> So, with #2, the HTTPP connection already succeeds. When will #3 happen?
At #3, a user creates a new HttpURLConnection instance (in the same
JVM), and tries to connect to the same HTTP server again. Please see the
test I added for this bug:
http://cr.openjdk.java.net/~asmotrak/8138953/webrev.02/
> Visiting another page on the same server and see another 401?
Yes, it uses the same page on the same HTTP server. I updated the test
to visit another page, and it fails on JDK 9 b83, and succeeds with the
fix (please see the webrev above).
> If this is a new connection, does HttpURLConnection still remember #2?
Yes, HttpURLConnection is quite smart, and has a number of caches. For
example, keep-alive cache, cache for auth data (for the same realms only).
Artem
>
> Sorry for asking these. I have always been afraid of HttpURLConnection and although I've made some modifications to the code, I never dare say I fully understand it, at least not today.
>
> Thanks
> Max
>
More information about the net-dev
mailing list