RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient
Daniel Fuchs
dfuchs at openjdk.org
Mon Sep 30 13:10:37 UTC 2024
On Sun, 29 Sep 2024 16:46:06 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
> This fix relaxes the constraints on user set authentication headers. Currently, any user set authentication headers are filtered out, if the HttpClient has an Authenticator set. The reason being that the authenticator is expected to manage authentication. With this fix, it will be possible to use pre-emptive authentication through user set headers, even if an authenticator is set. The expected use case is where the authenticator would manage either proxy or server authentication and the user set headers would manage server authentication if the authenticator is managing proxy (or vice versa).
> If the pre-emptive authentication fails, then this behavior is disabled on further retries and it would be up to the authenticator to provide the right credentials then.
>
> Thanks,
> Michael
src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java line 233:
> 231:
> 232: || req.tryUserSetAuthorization();
> 233: */
Shouldn't this commented code be removed?
test/jdk/java/net/httpclient/UserAuthWithAuthenticator.java line 212:
> 210:
> 211: public String baseURL() {
> 212: return "http://127.0.0.1:" + getPort();
Should use `URIBuilder` here to deal with possible IPv6-only envs
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21249#discussion_r1781095329
PR Review Comment: https://git.openjdk.org/jdk/pull/21249#discussion_r1781099321
More information about the net-dev
mailing list