On Tue, 1 Oct 2024 15:25:20 GMT, Daniel Fuchs <dfu...@openjdk.org> wrote:
> > > ``` > > > Would it make sense to assume that the user is always right, and use the > > > authenticator only for the credentials that the user didn't provide? > > > > > > I realize that it would be a major behavior change, but I think that's > > > the least surprising behavior. > > > ``` > > > > > > That could be simpler and still fits what I think the bug reporters are > > looking for which is basically that the authenticator would be used for one > > of server or proxy, while the user would (directly) look after the other. > > The problem is partly caused by the fact that there's no way to register an > > authenticator for proxy only or server only or two separate authenticators > > for each. > > I guess we could arrange to call the authenticator for `WWW-Authenticate` > only if the user headers do not contain `Authorization` - and likewise for > `Proxy-Authenticate` / `Proxy-Authorization`. If user headers contain > Authorization and we receive 401, we just relay the 401 to the user. Same for > Proxy-Authorization / 407 ? > > That would definitely need a CSR + release note if we changed the behavior > that way though... I was thinking this needed a CSR and release note anyway. ------------- PR Comment: https://git.openjdk.org/jdk/pull/21249#issuecomment-2386329725