rschmitt commented on PR #773: URL: https://github.com/apache/httpcomponents-client/pull/773#issuecomment-3786795136
> AFAIK the jdk has never allowed any kind of zero-code authentication for proxies. I spoke with an engineer from the AWS Java SDK, who told me that some users are using mTLS for proxy auth. (I interpret this as another reason to respect key store system property configuration by default.) But for HTTP proxy auth with a 407 challenge and an IANA `auth-scheme` ([of which there are many](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml), including tons of non-standard ones like `AWS4-HMAC-SHA256`), I think you're probably right. > This contrasts with what (maybe just casual as in non-corporate that just want their damn request to work no matter what) users have been doing for decades, just stuff your password in the url in http_proxy='http://USER:PASS@PROXY:PORT' and forget about it. That's a good point, and I'll add that by keeping the credentials and the proxy endpoint together like this, you actually know who your credentials will be disclosed to. Even with the issues you're pointing out, I'd still be inclined to respect the `proxyUser` and `proxyPassword` system properties by default _if_ I knew that people were actually using this feature, but I'm rather skeptical that they are; they seem vestigial. Unless we learn something new, I think removing support for those system properties is the right call. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
