RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient [v5]

[Alan Bateman]

On Fri, 11 Oct 2024 09:09:47 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

>> Hi,
>> 
>> I closed https://github.com/openjdk/jdk/pull/21249 and am continuing the review on this PR.
>> 
>> This fix relaxes the constraints on user set authentication headers. Currently, any user set authentication headers are filtered out, if the HttpClient has an Authenticator set. The reason being that the authenticator is expected to manage authentication. With this fix, it will be possible to use pre-emptive authentication through user set headers, even if an authenticator is set. The expected use case is where the authenticator would manage either proxy or server authentication and the user set headers would manage server authentication if the authenticator is managing proxy (or vice versa).
>> 
>> A CSR will be filed to document this change.
>> 
>> Thanks,
>> Michael
>
> Michael McMahon has updated the pull request incrementally with three additional commits since the last revision:
> 
>  - Update src/java.net.http/share/classes/jdk/internal/net/http/Stream.java
>    
>    Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
>  - Update src/java.net.http/share/classes/jdk/internal/net/http/AuthenticationFilter.java
>    
>    Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
>  - Update src/java.net.http/share/classes/jdk/internal/net/http/AuthenticationFilter.java
>    
>    Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>

src/java.net.http/share/classes/java/net/http/HttpClient.java line 418:

> 416:          * the {@link Authenticator} will not be invoked for the corresponding
> 417:          * authentication.
> 418:          *

Reading this makes me wonder if this should be normative, as in part of the spec rather than a note for developers using the API. Has that been discussed?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/21408#discussion_r1798106962