On Thu, 17 Oct 2024 10:36:32 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> Hi, >> >> I closed https://github.com/openjdk/jdk/pull/21249 and am continuing the >> review on this PR. >> >> This fix relaxes the constraints on user set authentication headers. >> Currently, any user set authentication headers are filtered out, if the >> HttpClient has an Authenticator set. The reason being that the authenticator >> is expected to manage authentication. With this fix, it will be possible to >> use pre-emptive authentication through user set headers, even if an >> authenticator is set. The expected use case is where the authenticator would >> manage either proxy or server authentication and the user set headers would >> manage server authentication if the authenticator is managing proxy (or vice >> versa). >> >> A CSR will be filed to document this change. >> >> Thanks, >> Michael > > Michael McMahon has updated the pull request incrementally with one > additional commit since the last revision: > > test update test/jdk/java/net/httpclient/UserAuthWithAuthenticator.java line 158: > 156: } else { > 157: assertTrue(resp.statusCode() == 200, "Expected 200 > response"); > 158: assertTrue(!h.authValue().equals(encoded), "Expected > user set header to not be set"); It would be good to have a third scenario where the provided user header are bad (e.g. wrong password) and we verify that 401 is returned and that the request is not retried with the authenticator. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/21408#discussion_r1805032589
