RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient [v5]
Daniel Fuchs
dfuchs at openjdk.org
Mon Oct 14 12:30:17 UTC 2024
On Sun, 13 Oct 2024 06:59:10 GMT, Alan Bateman <alanb at openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with three additional commits since the last revision:
>>
>> - Update src/java.net.http/share/classes/jdk/internal/net/http/Stream.java
>>
>> Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
>> - Update src/java.net.http/share/classes/jdk/internal/net/http/AuthenticationFilter.java
>>
>> Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
>> - Update src/java.net.http/share/classes/jdk/internal/net/http/AuthenticationFilter.java
>>
>> Co-authored-by: Daniel Jelinski <djelinski1 at gmail.com>
>
> src/java.net.http/share/classes/java/net/http/HttpClient.java line 418:
>
>> 416: * the {@link Authenticator} will not be invoked for the corresponding
>> 417: * authentication.
>> 418: *
>
> Reading this makes me wonder if this should be normative, as in part of the spec rather than a note for developers using the API. Has that been discussed?
When to use the Authenticator (or not) is typically implementation dependent. We should have documented how our implementation used the authenticator when the API was added in JDK 11. I am not sure we should make this text normative, but if you believe we should I will not object. Do you think we should?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21408#discussion_r1799412412
More information about the net-dev
mailing list