RFR: 8340182: Java HttpClient does not follow default retry limit of 3 retries [v4]

Michael McMahon michaelm at openjdk.org
Thu Jun 12 11:49:30 UTC 2025 

On Wed, 11 Jun 2025 11:13:46 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> @dfuch As per my understanding, the current changes do reflect the correct behaviour, as when the request comes in it first goes through the authenticator. If the authentication fails we need to consider this failure in no of retries. (as the client should not try to get the credentials again) 
>> @Michael-Mc-Mahon if you could please provide some additional context on this and if my interpretation is correct.
>
> There is a difference between the number of attempts and the number of retries. One attempt means no retry; two attempts mean one retry. Maybe the confusion partly comes from this sentence:
> 
>> jdk.httpclient.auth.retrylimit (default: 3)
>> The number of attempts the Basic authentication filter will attempt to retry a failed authentication.
> 
> 1. what is a failed authentication? Is it when you receive 401/407, or is it when you receive 401/407 *after* having provided credential?
> 2. There are two many "attempts" in the sentence above. One of them should be removed.

> Ok - so now we're getting somewhere. This lets me think that the change in the AuthenticationFilter is not right. The specification says:
> 
> > jdk.httpclient.auth.retrylimit (default: 3)
> > The number of attempts the Basic authentication filter will attempt to retry a failed authentication.
> 
> When I read this, I expect that if the limit is 0, no retries, then the Authenticator will be called once, and if the authentication fails with these credentials, then the request will fail. If the limit is 1, then we will retry once, which means the Authenticator should be called twice, and so on.
> 
> So maybe we should always assert that totalRequestCount == `Math.max(RETRY_LIMIT, 0) + 1`?

Yeah, I think I agree with 1st para above. But, there is potential for confusion. The number of request retries is not the same as the number of authentication retries. The first authentication request happens during the first request retry (the 2nd request). The first authentication retry happens during the second request retry (the 3rd request).

The property name seems to be clearly referring to the number of auth retries (ie the number of times the authenticator is retried) and the number of calls to the authenticator will be that +1.

So, maybe, it's not a bug?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25490#discussion_r2142511014

More information about the net-dev mailing list