jonenst commented on PR #773:
URL:
https://github.com/apache/httpcomponents-client/pull/773#issuecomment-3783291963
Hi @rschmitt
> Can proxy auth be handled by the operating system (cf.
-Djava.net.useSystemProxies=true)?
I don't think so. AFAIK the jdk has never allowed any kind of zero-code
authentication for proxies. Only zero-code selection of the proxy. If the proxy
then sends 407 because it requires authentication, the following program will
never work
```java
void main() throws Exception {
IO.println(
((HttpURLConnection) (new
URL("http://www.example.com/";)).openConnection()).getResponseCode()
);
}
```
I'm almost sure it's the case on linux. Not sure about windows (not a
windows user) but a quick search tells me it's also the case.
Also I think it's the same with the newer jdk11 client but I'm not sure.
You need some code (authenticator.setDefault) or a proxy that never sends
407 (e.g. cntlm reexposes an authentiated proxy as unauthenticated on localhost
for any process) for requests to work.
I guess the jdk didn't do it because they want cross platform and secure
features only ? (setting a password on the command line is insecure. setting a
password in an environment variable is also pretty insecure although less bad.
basic auth is also pretty insecure, you need to trust 100% any proxy that you
configure because you will send them your password as soon as they return 407;
other auth methods are not widespread standards in all free proxy servers ?).
This contrasts with what (maybe just casual as in non-corporate that just
want their damn request to work no matter what) users have been doing for
decades, just stuff your password in the url in
http_proxy='http://USER:PASS@PROXY:PORT' and forget about it.
So as a lib it feels like you are stuck with either:
- taking the same stance as the jdk, no potentially insecure zero code
authentication, irritating users
- taking the same stance as the users, encourage to do potentially insecure
things because they will unblock you
That's my understanding at least.
Cheers,
Jon
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
