Re: RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient [v2]

Tue, 08 Oct 2024 04:33:37 -0700 

On Tue, 8 Oct 2024 07:59:58 GMT, Michael McMahon <micha...@openjdk.org> wrote:

>> This fix relaxes the constraints on user set authentication headers. 
>> Currently, any user set authentication headers are filtered out, if the 
>> HttpClient has an Authenticator set. The reason being that the authenticator 
>> is expected to manage authentication.  With this fix, it will be possible to 
>> use pre-emptive authentication through user set headers, even if an 
>> authenticator is set. The expected use case is where the authenticator would 
>> manage either proxy or server authentication and the user set headers would 
>> manage server authentication if the authenticator is managing proxy (or vice 
>> versa).
>> If the pre-emptive authentication fails, then this behavior is disabled on 
>> further retries and it would be up to the authenticator to provide the right 
>> credentials then.
>> 
>> Thanks,
>> Michael
>
> Michael McMahon has updated the pull request with a new target base due to a 
> merge or a rebase. The incremental webrev excludes the unrelated changes 
> brought in by the merge/rebase. The pull request contains 10 additional 
> commits since the last revision:
> 
>  - update
>  - implementation rework
>  - Merge branch 'master' into 8326949-authorize
>  - test update
>  - test update
>  - test update
>  - test update
>  - initial impl with test
>  - Merge branch 'master' into 8326949-authorize
>  - impl for fix

src/java.net.http/share/classes/java/net/http/HttpClient.java line 417:

> 415:          * Proxy-Authorization} header set then its value will override 
> any
> 416:          * value derived from the given {@link Authenticator}.
> 417:          *

This sounds like we're going to call the authenticator, but we're not. Maybe:
Suggestion:

         * @apiNote
         * If a {@link HttpRequest} has an {@code Authorization} or {@code
         * Proxy-Authorization} header set then its value will be used and
         * the {@link Authenticator} will not be invoked for the corresponding
         * authentication.
         *

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/21249#discussion_r1791696128

Reply via email to