WebView, HTTP/2 and authentication

José Pereda jose.pereda at gluonhq.com
Wed Feb 9 12:20:29 UTC 2022 

Hi,

With JDK 11 (or with com.sun.webkit.useHTTP2Loader=false) WebView defaults
to the old HTTP 1.1 and via HttpURLConnection [2] it has access to basic
and digest authentication.

But since JDK 12+ (or with com.sun.webkit.useHTTP2Loader=true) WebView uses
HTTP/2 and HttpClient [1], which doesn't provide any kind of built-in
validation, as far as I know.

As a quick test, adding:

 private final static HttpClient HTTP_CLIENT =
     AccessController.doPrivileged((PrivilegedAction<HttpClient>) () ->
HttpClient.newBuilder()
            .version(Version.HTTP_2)  // this is the default
            .followRedirects(Redirect.NEVER) // WebCore handles redirection
            .connectTimeout(Duration.ofSeconds(30)) // FIXME: Add a
property to control the timeout
            .cookieHandler(CookieHandler.getDefault())
+            .authenticator(Authenticator.getDefault())
            .build());

helps with getting at least basic authentication from the user's code with:

Authenticator.setDefault(new Authenticator() {
                @Override
                protected PasswordAuthentication
getPasswordAuthentication() {
                    return new PasswordAuthentication("$user",
"$password".toCharArray());
                }
            });

However, this doesn't work for digest authentication.

A different (and probably better) approach would be adding headers to the
HttpRequest [3] allowing any kind of authentication type:

        final var request = HttpRequest.newBuilder()
                               .uri(uri)
                               .headers(getRequestHeaders()) // headers
from WebCore
                               .headers(getCustomHeaders()) // headers set
by us
+                             .headers("Authorization",
"$authenticationString")
                               .version(Version.HTTP_2)  // this is the
default
                               .method(method, getFormDataPublisher())
                               .build();

Note that none of the existing headers allow user customization, if I get
it right.

I understand that adding an API for this authorization header can be
complex, but, without this (or any other alternative), how can WebView and
HTTP2 can be used to address authentication?

Thanks for any input on this,
Jose


[1]
https://github.com/openjdk/jfx11u/blob/master/modules/javafx.web/src/main/java/com/sun/webkit/network/HTTP2Loader.java#L105
[2]
https://github.com/openjdk/jfx11u/blob/master/modules/javafx.web/src/main/java/com/sun/webkit/network/URLLoader.java#L406
[3]
https://github.com/openjdk/jfx11u/blob/master/modules/javafx.web/src/main/java/com/sun/webkit/network/HTTP2Loader.java#L396

--

More information about the openjfx-dev mailing list