On Tue, 1 Oct 2024 15:13:59 GMT, Michael McMahon <micha...@openjdk.org> wrote:
> > Would it make sense to assume that the user is always right, and use > > the authenticator only for the credentials that the user didn't provide? > > > > I realize that it would be a major behavior change, but I think that's > > the least surprising behavior. > > > > That could be simpler and still fits what I think the bug reporters are > looking for which is basically that the authenticator would be used for one > of server or proxy, while the user would (directly) look after the other. > > The problem is partly caused by the fact that there's no way to register an > authenticator for proxy only or server only or two separate authenticators > for each. I guess we could arrange to call the authenticator for `WWW-Authenticate` only if the user headers do not contain `Authorization` - and likewise for `Proxy-Authenticate` / `Proxy-Authorization`. If user headers contain Authorization and we receive 401, we just relay the 401 to the user. Same for Proxy-Authorization / 407 ? That would definitely need a CSR + release note if we changed the behavior that way though... ------------- PR Comment: https://git.openjdk.org/jdk/pull/21249#issuecomment-2386321251
