On Mon, 15 Mar 2021 13:21:25 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
>> Hi,
>>
>> The fix for the reported bug in Utils.CONTEXT_RESTRICTED caused a couple of
>> regression failures, which turned out to be another bug exposed by this fix
>> where HTTP/1.1 CONNECT requests with authentication were filtering out proxy
>> authentication headers wrongly. This was because the HttpRequestImpl created
>> for the repeated CONNECT was putting the system headers in the user headers
>> area of the HttpRequestImpl. The fix for that is to supply the user and
>> system headers direct to the place where the new HttpRequestImpl is created.
>>
>> Thanks
>> Michael
>
> test/jdk/java/net/httpclient/AuthFilter.java line 57:
>
>> 55: Headers reqh = e.getRequestHeaders();
>> 56: if (reqh.containsKey("authorization")) {
>> 57: e.sendResponseHeaders(500, -1);
>
> I am a bit concerned by that. It shows that without your fix preemptive
> authentication would have worked, as the server would have received the
> authorization header.
>
> I did a bit of an experiment - and it seems that with proxy-authorization you
> would get an IOException (with or without your fix). So it seems that without
> your fix we are unwillingly currently supporting user preemptive
> authentication (for servers) in the presence of an authenticator, but not for
> proxies. With your fix, neither will be supported.
>
> Is that the right thing to do?
What I am seeing is that if no authenticator set, whether the fix is present or
not, an "Authorization" header is passed through, but a "Proxy-Authorization"
header is filtered. So, that is a different issue. It probably is a bug though.
-------------
PR: https://git.openjdk.java.net/jdk/pull/2977
