On Tue, 1 Oct 2024 11:09:11 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
>> This fix relaxes the constraints on user set authentication headers. >> Currently, any user set authentication headers are filtered out, if the >> HttpClient has an Authenticator set. The reason being that the authenticator >> is expected to manage authentication. With this fix, it will be possible to >> use pre-emptive authentication through user set headers, even if an >> authenticator is set. The expected use case is where the authenticator would >> manage either proxy or server authentication and the user set headers would >> manage server authentication if the authenticator is managing proxy (or vice >> versa). >> If the pre-emptive authentication fails, then this behavior is disabled on >> further retries and it would be up to the authenticator to provide the right >> credentials then. >> >> Thanks, >> Michael > > Would it make sense to assume that the user is always right, and use the > authenticator only for the credentials that the user didn't provide? > > I realize that it would be a major behavior change, but I think that's the > least surprising behavior. Just to be clear I'm not objecting to implementing @djelinski suggestion. I believe it is a good suggestion which would be less surprising for first time users of that 'feature'. ------------- PR Comment: https://git.openjdk.org/jdk/pull/21249#issuecomment-2388384222
