RFR: 8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED [v3]

Michael McMahon michaelm at openjdk.java.net
Mon Mar 22 22:16:10 UTC 2021


On Mon, 15 Mar 2021 14:57:33 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

>> test/jdk/java/net/httpclient/AuthFilter.java line 57:
>> 
>>> 55:             Headers reqh = e.getRequestHeaders();
>>> 56:             if (reqh.containsKey("authorization")) {
>>> 57:                 e.sendResponseHeaders(500, -1);
>> 
>> I am a bit concerned by that. It shows that without your fix preemptive authentication would have worked, as the server would have received the authorization header.
>> 
>> I did a bit of an experiment - and it seems that with proxy-authorization you would get an IOException (with or without your fix). So it seems that without your fix we are unwillingly currently supporting user preemptive  authentication (for servers) in the presence of an authenticator, but not for proxies. With your fix, neither will be supported.
>> 
>> Is that the right thing to do?
>
> What I am seeing is that if no authenticator set, whether the fix is present or not, an "Authorization" header is passed through, but a "Proxy-Authorization" header is filtered. So, that is a different issue. It probably is a bug though.

I've updated the test to test the proxy authorization case

-------------

PR: https://git.openjdk.java.net/jdk/pull/2977


More information about the net-dev mailing list