On Fri, 12 Mar 2021 21:04:59 GMT, Michael McMahon <micha...@openjdk.org> wrote:
> Hi,
>
> The fix for the reported bug in Utils.CONTEXT_RESTRICTED caused a couple of
> regression failures, which turned out to be another bug exposed by this fix
> where HTTP/1.1 CONNECT requests with authentication were filtering out proxy
> authentication headers wrongly. This was because the HttpRequestImpl created
> for the repeated CONNECT was putting the system headers in the user headers
> area of the HttpRequestImpl. The fix for that is to supply the user and
> system headers direct to the place where the new HttpRequestImpl is created.
>
> Thanks
> Michael
test/jdk/java/net/httpclient/AuthFilter.java line 57:
> 55: Headers reqh = e.getRequestHeaders();
> 56: if (reqh.containsKey("authorization")) {
> 57: e.sendResponseHeaders(500, -1);
I am a bit concerned by that. It shows that without your fix preemptive
authentication would have worked, as the server would have received the
authorization header.
I did a bit of an experiment - and it seems that with proxy-authorization you
would get an IOException (with or without your fix). So it seems that without
your fix we are unwillingly currently supporting user preemptive
authentication (for servers) in the presence of an authenticator, but not for
proxies. With your fix, neither will be supported.
Is that the right thing to do?
-------------
PR: https://git.openjdk.java.net/jdk/pull/2977
