Let's go back to the bug description: But no fallback happens if:
1. an HTTP server supports both Negotiate (via Kerberos) and Basic authentication schemes 2. first, a user provides correct Kerberos credentials, and a connection is successfully established with Negotiate scheme 3. then, a user provides wrong Kerberos credentials, but correct Basic credentials So, with #2, the HTTPP connection already succeeds. When will #3 happen? Visiting another page on the same server and see another 401? If this is a new connection, does HttpURLConnection still remember #2? Sorry for asking these. I have always been afraid of HttpURLConnection and although I've made some modifications to the code, I never dare say I fully understand it, at least not today. Thanks Max
