Re: RFR: 8340326: Remove references to Applet in core-libs/security tests [v7]

2024-10-01 Thread Daniel Fuchs
On Fri, 27 Sep 2024 18:08:54 GMT, Justin Lu wrote: >> Please review this PR which removes usages of Applet within the corelibs >> tests. >> >> Most changes are removed comments/updated var names. The JBS issue lists >> more files than the ones included in this pull request, please see the >>

Re: RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient

2024-10-01 Thread Daniel Fuchs
On Tue, 1 Oct 2024 15:13:59 GMT, Michael McMahon wrote: > > Would it make sense to assume that the user is always right, and use > > the authenticator only for the credentials that the user didn't provide? > > > > I realize that it would be a major behavior change, but I think that's >

Re: RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient

2024-10-01 Thread Michael McMahon
On Tue, 1 Oct 2024 15:25:20 GMT, Daniel Fuchs wrote: > > > ``` > > > Would it make sense to assume that the user is always right, and use the > > > authenticator only for the credentials that the user didn't provide? > > > > > > I realize that it would be a major behavior change, but I think th

Re: RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient

2024-10-01 Thread Daniel Fuchs
On Tue, 1 Oct 2024 15:28:20 GMT, Michael McMahon wrote: > I was thinking this needed a CSR and release note anyway. true - but the risk of causing regression in existing code might be higher? - PR Comment: https://git.openjdk.org/jdk/pull/21249#issuecomment-2386340524

Re: RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient

2024-10-01 Thread Daniel Jeliński
On Sun, 29 Sep 2024 16:46:06 GMT, Michael McMahon wrote: > This fix relaxes the constraints on user set authentication headers. > Currently, any user set authentication headers are filtered out, if the > HttpClient has an Authenticator set. The reason being that the authenticator > is expected

Re: RFR: 8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient

2024-10-01 Thread Michael McMahon
On Tue, 1 Oct 2024 11:09:11 GMT, Daniel Jeliński wrote: > Would it make sense to assume that the user is always right, and use the > authenticator only for the credentials that the user didn't provide? > > I realize that it would be a major behavior change, but I think that's the > least surpr