RFR: 8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED

Daniel Fuchs dfuchs at openjdk.java.net
Mon Mar 15 13:25:09 UTC 2021


On Fri, 12 Mar 2021 21:04:59 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

> Hi,
> 
> The fix for the reported bug in Utils.CONTEXT_RESTRICTED caused a couple of regression failures, which turned out to be another bug exposed by this fix where HTTP/1.1 CONNECT requests with authentication were filtering out proxy authentication headers wrongly. This was because the HttpRequestImpl created for the repeated CONNECT was putting the system headers in the user headers area of the HttpRequestImpl. The fix for that is to supply the user and system headers direct to the place where the new HttpRequestImpl is created.
> 
> Thanks
> Michael

test/jdk/java/net/httpclient/AuthFilter.java line 57:

> 55:             Headers reqh = e.getRequestHeaders();
> 56:             if (reqh.containsKey("authorization")) {
> 57:                 e.sendResponseHeaders(500, -1);

I am a bit concerned by that. It shows that without your fix preemptive authentication would have worked, as the server would have received the authorization header.

I did a bit of an experiment - and it seems that with proxy-authorization you would get an IOException (with or without your fix). So it seems that without your fix we are unwillingly currently supporting user preemptive  authentication (for servers) in the presence of an authenticator, but not for proxies. With your fix, neither will be supported.

Is that the right thing to do?

-------------

PR: https://git.openjdk.java.net/jdk/pull/2977


More information about the net-dev mailing list