On Mon, 15 Mar 2021 14:57:33 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> test/jdk/java/net/httpclient/AuthFilter.java line 57: >> >>> 55: Headers reqh = e.getRequestHeaders(); >>> 56: if (reqh.containsKey("authorization")) { >>> 57: e.sendResponseHeaders(500, -1); >> >> I am a bit concerned by that. It shows that without your fix preemptive >> authentication would have worked, as the server would have received the >> authorization header. >> >> I did a bit of an experiment - and it seems that with proxy-authorization >> you would get an IOException (with or without your fix). So it seems that >> without your fix we are unwillingly currently supporting user preemptive >> authentication (for servers) in the presence of an authenticator, but not >> for proxies. With your fix, neither will be supported. >> >> Is that the right thing to do? > > What I am seeing is that if no authenticator set, whether the fix is present > or not, an "Authorization" header is passed through, but a > "Proxy-Authorization" header is filtered. So, that is a different issue. It > probably is a bug though. I've updated the test to test the proxy authorization case ------------- PR: https://git.openjdk.java.net/jdk/pull/2977