On Tue, 1 Oct 2024 15:25:20 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:

> > > ```
> > > Would it make sense to assume that the user is always right, and use the 
> > > authenticator only for the credentials that the user didn't provide?
> > > 
> > > I realize that it would be a major behavior change, but I think that's 
> > > the least surprising behavior.
> > > ```
> > 
> > 
> > That could be simpler and still fits what I think the bug reporters are 
> > looking for which is basically that the authenticator would be used for one 
> > of server or proxy, while the user would (directly) look after the other.
> > The problem is partly caused by the fact that there's no way to register an 
> > authenticator for proxy only or server only or two separate authenticators 
> > for each.
> 
> I guess we could arrange to call the authenticator for `WWW-Authenticate` 
> only if the user headers do not contain `Authorization` - and likewise for 
> `Proxy-Authenticate` / `Proxy-Authorization`. If user headers contain 
> Authorization and we receive 401, we just relay the 401 to the user. Same for 
> Proxy-Authorization / 407 ?
> 
> That would definitely need a CSR + release note if we changed the behavior 
> that way though...

I was thinking this needed a CSR and release note anyway.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/21249#issuecomment-2386329725

Reply via email to