Hi Max,
Please see inline.
On 10/16/2015 05:18 AM, Wang Weijun wrote:
Let's go back to the bug description:
But no fallback happens if:
1. an HTTP server supports both Negotiate (via Kerberos) and Basic
authentication schemes
2. first, a user provides correct Kerberos credentials, and a connection is
successfully established with Negotiate scheme
3. then, a user provides wrong Kerberos credentials, but correct Basic
credentials
So, with #2, the HTTPP connection already succeeds. When will #3 happen?
At #3, a user creates a new HttpURLConnection instance (in the same
JVM), and tries to connect to the same HTTP server again. Please see the
test I added for this bug:
http://cr.openjdk.java.net/~asmotrak/8138953/webrev.02/
Visiting another page on the same server and see another 401?
Yes, it uses the same page on the same HTTP server. I updated the test
to visit another page, and it fails on JDK 9 b83, and succeeds with the
fix (please see the webrev above).
If this is a new connection, does HttpURLConnection still remember #2?
Yes, HttpURLConnection is quite smart, and has a number of caches. For
example, keep-alive cache, cache for auth data (for the same realms only).
Artem
Sorry for asking these. I have always been afraid of HttpURLConnection and
although I've made some modifications to the code, I never dare say I fully
understand it, at least not today.
Thanks
Max
