-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient #21249
base: master
Are you sure you want to change the base?
8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient #21249
Conversation
👋 Welcome back michaelm! A progress list of the required criteria for merging this PR into |
❗ This change is not yet ready to be integrated. |
@Michael-Mc-Mahon The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Would there be any merit to adding something to Builder.authenticator(Authenticator) to document the behavior? I don't know if this would be an API note or impNote. I'm mostly wondering where a developer might read about how/when it is used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test seems to be missing a scenario where the provided preemptive credentials are wrong (or obsolete) and the stack then defaults to using the provided authenticator.
var plainCreds = "user:pwd"; | ||
var encoded = java.util.Base64.getEncoder().encodeToString(plainCreds.getBytes(US_ASCII)); | ||
var badCreds = "user:wrong"; | ||
var encoded1 = java.util.Base64.getEncoder().encodeToString(badCreds.getBytes(US_ASCII)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is some part of the test missing? I don't see where encoded1
is used.
Also should there be some assertion as to whether ProxyAuth()
was called or not?
try { | ||
|
||
var client = HttpClient.newBuilder() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally should use try-with-resource to also close the client.
try { | ||
var client = HttpClient.newBuilder() | ||
.version(java.net.http.HttpClient.Version.HTTP_1_1) | ||
.build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should use try-with-resource to close the client
try { | ||
var client = HttpClient.newBuilder() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should use try-with-resource to close the client
} | ||
@Override | ||
public List<Proxy> select(URI uri) { | ||
return List.of(new Proxy(Proxy.Type.HTTP, new InetSocketAddress("localhost", port))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to use InetAddress.getLoopbackAddress()
rather than "localhost"
@Override | ||
protected PasswordAuthentication getPasswordAuthentication() { | ||
if (getRequestorType() != RequestorType.SERVER) { | ||
// We only want to handle proxy authentication here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// We only want to handle proxy authentication here | |
// We only want to handle server authentication here |
/* | ||
return (k, v) -> client.authenticator().isEmpty() | ||
|| (!k.equalsIgnoreCase("Authorization") | ||
&& !k.equalsIgnoreCase("Proxy-Authorization")) | ||
|
||
// flag may be true for first attempt, and will be false | ||
// for subsequent attempts if the first attempt failed | ||
// due to 401/407 | ||
|
||
|| req.tryUserSetAuthorization(); | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this commented code be removed?
} | ||
|
||
public String baseURL() { | ||
return "http://127.0.0.1:" + getPort(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should use URIBuilder
here to deal with possible IPv6-only envs
I agree with Alan that it would be good to document how we use the Authenticator in HttpClient.Builder. |
That would be useful. It definitely should be documented somewhere. |
Quite a few existing authentication regression tests are failing with the change. So, I need to investigate them and will address the other PR comments after that. |
This fix relaxes the constraints on user set authentication headers. Currently, any user set authentication headers are filtered out, if the HttpClient has an Authenticator set. The reason being that the authenticator is expected to manage authentication. With this fix, it will be possible to use pre-emptive authentication through user set headers, even if an authenticator is set. The expected use case is where the authenticator would manage either proxy or server authentication and the user set headers would manage server authentication if the authenticator is managing proxy (or vice versa).
If the pre-emptive authentication fails, then this behavior is disabled on further retries and it would be up to the authenticator to provide the right credentials then.
Thanks,
Michael
Progress
Issue
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/21249/head:pull/21249
$ git checkout pull/21249
Update a local copy of the PR:
$ git checkout pull/21249
$ git pull https://git.openjdk.org/jdk.git pull/21249/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 21249
View PR using the GUI difftool:
$ git pr show -t 21249
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/21249.diff
Webrev
Link to Webrev Comment