changeset 7751:e64096846c20

8048035: Ensure proper proxy protocols Reviewed-by: michaelm, coffeys
author robm
date Tue, 21 Oct 2014 15:33:45 +0100
parents 1d17f4662714
children 481749b8ba88 8b02d56a3fb0
files src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
diffstat 1 files changed, 13 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Mon Oct 20 12:35:24 2014 -0700
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Tue Oct 21 15:33:45 2014 +0100
@@ -315,6 +315,7 @@
     /* try auth without calling Authenticator. Used for transparent NTLM authentication */
     private boolean tryTransparentNTLMServer = true;
     private boolean tryTransparentNTLMProxy = true;
+    private boolean useProxyResponseCode = false;
 
     /* Used by Windows specific code */
     private Object authObj;
@@ -2032,6 +2033,14 @@
                         if (tryTransparentNTLMProxy) {
                             tryTransparentNTLMProxy =
                                     NTLMAuthenticationProxy.proxy.supportsTransparentAuth;
+                            /* If the platform supports transparent authentication
+                             * then normally it's ok to do transparent auth to a proxy
+                                         * because we generally trust proxies (chosen by the user)
+                                         * But not in the case of 305 response where the server
+                             * chose it. */
+                            if (tryTransparentNTLMProxy && useProxyResponseCode) {
+                                tryTransparentNTLMProxy = false;
+                            }
                         }
                         a = null;
                         if (tryTransparentNTLMProxy) {
@@ -2364,6 +2373,10 @@
             requests.set(0, method + " " + getRequestURI()+" "  +
                              httpVersion, null);
             connected = true;
+            // need to remember this in case NTLM proxy authentication gets
+            // used. We can't use transparent authentication when user
+            // doesn't know about proxy.
+            useProxyResponseCode = true;
         } else {
             // maintain previous headers, just change the name
             // of the file we're getting