This is very minor, but java.net.Authenticator has the following static field for the default authenticator:
private static Authenticator theAuthenticator;
This field is set from a synchronized method setDefault(..), but
accessed without proper sync from all other request* methods:
Authenticator a = theAuthenticator;
if (a == null) {
return null;
}
D.
