8326949: Authorization header is removed when a proxy Authenticator is set on HttpClient

Reviewed-by: dfuchs, jpai, djelinski

Author: Michael-Mc-Mahon

src/java.net.http/share/classes/java/net/http/HttpClient.java

@@ -410,6 +410,14 @@ public interface Builder {
         /**
          * Sets an authenticator to use for HTTP authentication.
          *
+         * @implNote
+         * In the JDK built-in implementation of the {@code HttpClient},
+         * if a {@link HttpRequest} has an {@code Authorization} or {@code
+         * Proxy-Authorization} header set then its value is used and
+         * the {@link Authenticator} is not invoked for the corresponding
+         * authentication. In this case, any authentication errors are returned
+         * to the user and requests are not automatically retried.
+         *
          * @param authenticator the Authenticator
          * @return this builder
          */

src/java.net.http/share/classes/jdk/internal/net/http/AuthenticationFilter.java

@@ -244,6 +244,14 @@ public HttpRequestImpl response(Response r) throws IOException {
         HttpHeaders hdrs = r.headers();
         HttpRequestImpl req = r.request();
 
+        if (req.getUserSetAuthFlag(SERVER) && status == UNAUTHORIZED) {
+            // return the response. We don't handle it.
+            return null;
+        } else if (req.getUserSetAuthFlag(PROXY) && status == PROXY_UNAUTHORIZED) {
+            // same
+            return null;
+        }
+
         if (status != PROXY_UNAUTHORIZED) {
             if (exchange.proxyauth != null && !exchange.proxyauth.fromcache) {
                 AuthInfo au = exchange.proxyauth;

src/java.net.http/share/classes/jdk/internal/net/http/Http1Request.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,6 +45,8 @@
 import jdk.internal.net.http.common.Utils;
 
 import static java.lang.String.format;
+import static java.net.Authenticator.RequestorType.PROXY;
+import static java.net.Authenticator.RequestorType.SERVER;
 import static java.nio.charset.StandardCharsets.US_ASCII;
 
 /**
@@ -91,7 +93,6 @@ private void logHeaders(String completeHeaders) {
         }
     }
 
-
     public void collectHeaders0(StringBuilder sb) {
         BiPredicate<String,String> filter =
                 connection.headerFilter(request);
@@ -104,7 +105,9 @@ public void collectHeaders0(StringBuilder sb) {
 
         // Filter overridable headers from userHeaders
         userHeaders = HttpHeaders.of(userHeaders.map(),
-                      connection.contextRestricted(request, client));
+                      connection.contextRestricted(request));
+
+        Utils.setUserAuthFlags(request, userHeaders);
 
         final HttpHeaders uh = userHeaders;
 

src/java.net.http/share/classes/jdk/internal/net/http/HttpConnection.java

@@ -356,13 +356,13 @@ BiPredicate<String,String> headerFilter(HttpRequestImpl request) {
         }
     }
 
-    BiPredicate<String,String> contextRestricted(HttpRequestImpl request, HttpClient client) {
+    BiPredicate<String,String> contextRestricted(HttpRequestImpl request) {
         if (!isTunnel() && request.isConnect()) {
             // establishing a proxy tunnel
             assert request.proxy() == null;
-            return Utils.PROXY_TUNNEL_RESTRICTED(client);
+            return Utils.PROXY_TUNNEL_RESTRICTED();
         } else {
-            return Utils.CONTEXT_RESTRICTED(client);
+            return Utils.ACCEPT_ALL;
         }
     }
 

src/java.net.http/share/classes/jdk/internal/net/http/HttpRequestImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package jdk.internal.net.http;
 
 import java.io.IOException;
+import java.net.Authenticator;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
 import java.net.ProxySelector;
@@ -47,6 +48,8 @@
 import jdk.internal.net.http.common.Utils;
 import jdk.internal.net.http.websocket.WebSocketRequest;
 
+import static java.net.Authenticator.RequestorType.PROXY;
+import static java.net.Authenticator.RequestorType.SERVER;
 import static jdk.internal.net.http.common.Utils.ALLOWED_HEADERS;
 import static jdk.internal.net.http.common.Utils.ProxyHeaders;
 
@@ -66,6 +69,8 @@ public class HttpRequestImpl extends HttpRequest implements WebSocketRequest {
     private volatile AccessControlContext acc;
     private final Duration timeout;  // may be null
     private final Optional<HttpClient.Version> version;
+    private volatile boolean userSetAuthorization;
+    private volatile boolean userSetProxyAuthorization;
 
     private static String userAgent() {
         PrivilegedAction<String> pa = () -> System.getProperty("java.version");
@@ -333,6 +338,30 @@ boolean isWebSocket() {
         return isWebSocket;
     }
 
+    /**
+     * These flags are set if the user set an Authorization or Proxy-Authorization header
+     * overriding headers produced by an Authenticator that was also set
+     *
+     * The values are checked in the AuthenticationFilter which tells the library
+     * to return whatever response received to the user instead of causing request
+     * to be resent, in case of error.
+     */
+    public void setUserSetAuthFlag(Authenticator.RequestorType type, boolean value) {
+        if (type == SERVER) {
+            userSetAuthorization = value;
+        } else {
+            userSetProxyAuthorization = value;
+        }
+    }
+
+    public boolean getUserSetAuthFlag(Authenticator.RequestorType type) {
+        if (type == SERVER) {
+            return userSetAuthorization;
+        } else {
+            return userSetProxyAuthorization;
+        }
+    }
+
     @Override
     public Optional<BodyPublisher> bodyPublisher() {
         return requestPublisher == null ? Optional.empty()

src/java.net.http/share/classes/jdk/internal/net/http/Stream.java

@@ -825,7 +825,8 @@ private OutgoingHeaders<Stream<T>> headerFrame(long contentLength) {
         HttpHeaders sysh = filterHeaders(h.build());
         HttpHeaders userh = filterHeaders(request.getUserHeaders());
         // Filter context restricted from userHeaders
-        userh = HttpHeaders.of(userh.map(), Utils.CONTEXT_RESTRICTED(client()));
+        userh = HttpHeaders.of(userh.map(), Utils.ACCEPT_ALL);
+        Utils.setUserAuthFlags(request, userh);
 
         // Don't override Cookie values that have been set by the CookieHandler.
         final HttpHeaders uh = userh;

src/java.net.http/share/classes/jdk/internal/net/http/common/Utils.java

@@ -82,6 +82,8 @@
 import static java.lang.String.format;
 import static java.nio.charset.StandardCharsets.US_ASCII;
 import static java.util.stream.Collectors.joining;
+import static java.net.Authenticator.RequestorType.PROXY;
+import static java.net.Authenticator.RequestorType.SERVER;
 
 /**
  * Miscellaneous utilities
@@ -210,24 +212,10 @@ private static Set<String> getDisallowedHeaders() {
                 return true;
             };
 
-    // Headers that are not generally restricted, and can therefore be set by users,
-    // but can in some contexts be overridden by the implementation.
-    // Currently, only contains "Authorization" which will
-    // be overridden, when an Authenticator is set on the HttpClient.
-    // Needs to be BiPred<String,String> to fit with general form of predicates
-    // used by caller.
-
-    public static final BiPredicate<String, String> CONTEXT_RESTRICTED(HttpClient client) {
-        return (k, v) -> client.authenticator().isEmpty() ||
-                (!k.equalsIgnoreCase("Authorization")
-                        && !k.equalsIgnoreCase("Proxy-Authorization"));
-    }
-
     public record ProxyHeaders(HttpHeaders userHeaders, HttpHeaders systemHeaders) {}
 
-    private static final BiPredicate<String, String> HOST_RESTRICTED = (k,v) -> !"host".equalsIgnoreCase(k);
-    public static final BiPredicate<String, String> PROXY_TUNNEL_RESTRICTED(HttpClient client)  {
-        return CONTEXT_RESTRICTED(client).and(HOST_RESTRICTED);
+    public static final BiPredicate<String, String> PROXY_TUNNEL_RESTRICTED()  {
+        return (k,v) -> !"host".equalsIgnoreCase(k);
     }
 
     private static final Predicate<String> IS_HOST = "host"::equalsIgnoreCase;
@@ -310,6 +298,19 @@ private static final boolean isAllowedForProxy(String name,
     public static final BiPredicate<String, String> NO_PROXY_HEADERS_FILTER =
             (n,v) -> Utils.NO_PROXY_HEADER.test(n);
 
+    /**
+     * Check the user headers to see if the Authorization or ProxyAuthorization
+     * were set. We need to set special flags in the request if so. Otherwise
+     * we can't distinguish user set from Authenticator set headers
+     */
+    public static void setUserAuthFlags(HttpRequestImpl request, HttpHeaders userHeaders) {
+        if (userHeaders.firstValue("Authorization").isPresent()) {
+            request.setUserSetAuthFlag(SERVER, true);
+        }
+        if (userHeaders.firstValue("Proxy-Authorization").isPresent()) {
+            request.setUserSetAuthFlag(PROXY, true);
+        }
+    }
 
     public static boolean proxyHasDisabledSchemes(boolean tunnel) {
         return tunnel ? ! PROXY_AUTH_TUNNEL_DISABLED_SCHEMES.isEmpty()