RFR: 8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED
Michael McMahon
michaelm at openjdk.java.net
Mon Mar 15 15:00:10 UTC 2021
On Mon, 15 Mar 2021 13:21:25 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> Hi,
>>
>> The fix for the reported bug in Utils.CONTEXT_RESTRICTED caused a couple of regression failures, which turned out to be another bug exposed by this fix where HTTP/1.1 CONNECT requests with authentication were filtering out proxy authentication headers wrongly. This was because the HttpRequestImpl created for the repeated CONNECT was putting the system headers in the user headers area of the HttpRequestImpl. The fix for that is to supply the user and system headers direct to the place where the new HttpRequestImpl is created.
>>
>> Thanks
>> Michael
>
> test/jdk/java/net/httpclient/AuthFilter.java line 57:
>
>> 55: Headers reqh = e.getRequestHeaders();
>> 56: if (reqh.containsKey("authorization")) {
>> 57: e.sendResponseHeaders(500, -1);
>
> I am a bit concerned by that. It shows that without your fix preemptive authentication would have worked, as the server would have received the authorization header.
>
> I did a bit of an experiment - and it seems that with proxy-authorization you would get an IOException (with or without your fix). So it seems that without your fix we are unwillingly currently supporting user preemptive authentication (for servers) in the presence of an authenticator, but not for proxies. With your fix, neither will be supported.
>
> Is that the right thing to do?
What I am seeing is that if no authenticator set, whether the fix is present or not, an "Authorization" header is passed through, but a "Proxy-Authorization" header is filtered. So, that is a different issue. It probably is a bug though.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2977
More information about the net-dev
mailing list