jonenst commented on PR #773: URL: https://github.com/apache/httpcomponents-client/pull/773#issuecomment-3744382787
Hi, for http.proxyUser and http.proxyPassword (for http basic authentication), I have the same understanding as you (see https://github.com/openjdk/jdk/blob/7c4ed0b15baf45616db9ac302e945f223909b980/src/jdk.xml.bind/share/classes/com/sun/istack/internal/tools/DefaultAuthenticator.java#L71 ) (This was removed in jdk11 https://github.com/openjdk/jdk/commits/987c3a2d874fae6cfedf90d5bc920b66c275098a ) As far as I understand, for basic auth, it was always necessary to use some form of code like ```java Authenticator.setDefault( new Authenticator() { @Override public PasswordAuthentication getPasswordAuthentication() { return new PasswordAuthentication(authUser, authPassword.toCharArray()); } } ); ``` although some users report that it's not the case (not sure how trustworthy this report is. maybe the user was unaware that something read those proxyUser/proxyPass system properties and did the right thing for them to register a default authenticator) : https://stackoverflow.com/questions/1626549/authenticated-http-proxy-with-java (note that consequently, the basicauth proxy authentication already had the exact problem of locus of control, users could not run programs in environment where basicauth was mandatory when developpers didn't think of writing some code preventively) (note2: Of course what you want to allow users to do without changing the code is totally arbitrary. For exampl, for ntlm proxyauthentication I often had to run my own cntlm proxy on localhost which would reexpose an authenticated proxy as unauthenticated; it would have been possible to do this for basicauth as well) ps: https://github.com/openjdk/jdk/blob/d1c0417898c2dcbd6a2e6acc9c72b04f01a9880c/jdk/src/share/classes/com/sun/org/apache/xml/internal/security/utils/resolver/implementations/ResolverDirectHTTP.java#L71 removed in jdk9 also but I'm not sure if these were ever system properties or just plain programmatic configuration of the engine Thanks for all this work ! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
