RFR: 8065994: HTTP Tunnel connection to NTLM proxy reauthenticates instead of using keep-alive

Seán Coffey sean.coffey at oracle.com
Thu Jan 22 15:21:56 UTC 2015


Looking for a review around this issue that came in as a reported 
performance regression in NTLM proxy authentication. It turned out that 
HttpsClients were being discarded after Proxy SocketAddress equality 
tests failed. Lack of caching is expensive in terms for performance for 
TLS and needless handshakes. The 2nd round of NTLM authentication was 
passing in a Proxy which had a resolved SocketAddress. The previous 
Proxy creation for the same connection (via DefaultProxySelector) 
constructs Proxy using unresolved socketAddress.  Proposed fix is to 
compare like with like and have Proxy construct with unresolved Address.

I captured more details in bug report. I'm also using this opportunity 
to adding some extra logging to the HttpsClient class and to correct a 
bad null versus NO_PROXY test that existed (line 339)

bug report : https://bugs.openjdk.java.net/browse/JDK-8065994
webrev : http://cr.openjdk.java.net/~coffeys/webrev.8065994/webrev/

regards,
Sean.


More information about the security-dev mailing list