RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient
Daniel Fuchs
dfuchs at openjdk.org
Tue Oct 1 15:27:35 UTC 2024
On Tue, 1 Oct 2024 15:13:59 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
> > Would it make sense to assume that the user is always right, and use the authenticator only for the credentials that the user didn't provide?
> >
> > I realize that it would be a major behavior change, but I think that's the least surprising behavior.
> >
>
> That could be simpler and still fits what I think the bug reporters are looking for which is basically that the authenticator would be used for one of server or proxy, while the user would (directly) look after the other.
>
> The problem is partly caused by the fact that there's no way to register an authenticator for proxy only or server only or two separate authenticators for each.
I guess we could arrange to call the authenticator for `WWW-Authenticate` only if the user headers do not contain `Authorization` - and likewise for `Proxy-Authenticate` / `Proxy-Authorization`.
If user headers contain Authorization and we receive 401, we just relay the 401 to the user.
Same for Proxy-Authorization / 407 ?
That would definitely need a CSR + release note if we changed the behavior that way though...
-------------
PR Comment: https://git.openjdk.org/jdk/pull/21249#issuecomment-2386321251
More information about the net-dev
mailing list