RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient [v2]

Daniel Fuchs dfuchs at openjdk.org
Tue Oct 8 11:33:03 UTC 2024 

On Tue, 8 Oct 2024 07:59:58 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

>> This fix relaxes the constraints on user set authentication headers. Currently, any user set authentication headers are filtered out, if the HttpClient has an Authenticator set. The reason being that the authenticator is expected to manage authentication.  With this fix, it will be possible to use pre-emptive authentication through user set headers, even if an authenticator is set. The expected use case is where the authenticator would manage either proxy or server authentication and the user set headers would manage server authentication if the authenticator is managing proxy (or vice versa).
>> If the pre-emptive authentication fails, then this behavior is disabled on further retries and it would be up to the authenticator to provide the right credentials then.
>> 
>> Thanks,
>> Michael
>
> Michael McMahon has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 10 additional commits since the last revision:
> 
>  - update
>  - implementation rework
>  - Merge branch 'master' into 8326949-authorize
>  - test update
>  - test update
>  - test update
>  - test update
>  - initial impl with test
>  - Merge branch 'master' into 8326949-authorize
>  - impl for fix

src/java.net.http/share/classes/java/net/http/HttpClient.java line 417:

> 415:          * Proxy-Authorization} header set then its value will override any
> 416:          * value derived from the given {@link Authenticator}.
> 417:          *

This sounds like we're going to call the authenticator, but we're not. Maybe:
Suggestion:

         * @apiNote
         * If a {@link HttpRequest} has an {@code Authorization} or {@code
         * Proxy-Authorization} header set then its value will be used and
         * the {@link Authenticator} will not be invoked for the corresponding
         * authentication.
         *

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/21249#discussion_r1791696128

More information about the net-dev mailing list