On Mon, 15 Mar 2021 14:57:33 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> test/jdk/java/net/httpclient/AuthFilter.java line 57:
>>
>>> 55: Headers reqh = e.getRequestHeaders();
>>> 56: if (reqh.containsKey("authorization")) {
>>> 57: e.sendResponseHeaders(500, -1);
>>
>> I am a bit concerned by that. It shows that without your fix preemptive
>> authentication would have worked, as the server would have received the
>> authorization header.
>>
>> I did a bit of an experiment - and it seems that with proxy-authorization
>> you would get an IOException (with or without your fix). So it seems that
>> without your fix we are unwillingly currently supporting user preemptive
>> authentication (for servers) in the presence of an authenticator, but not
>> for proxies. With your fix, neither will be supported.
>>
>> Is that the right thing to do?
>
> What I am seeing is that if no authenticator set, whether the fix is present
> or not, an "Authorization" header is passed through, but a
> "Proxy-Authorization" header is filtered. So, that is a different issue. It
> probably is a bug though.
I've updated the test to test the proxy authorization case
-------------
PR: https://git.openjdk.java.net/jdk/pull/2977
