changeset 10595:1d973a19ef7c

8048035: Ensure proper proxy protocols Reviewed-by: chegar, coffeys
author michaelm
date Mon, 20 Oct 2014 10:29:30 +0100
parents f9d3b1e83fea
children ca4865cc7bea
files src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
diffstat 1 files changed, 13 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Wed Oct 15 15:41:50 2014 -0700
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Mon Oct 20 10:29:30 2014 +0100
@@ -336,6 +336,7 @@
     /* try auth without calling Authenticator. Used for transparent NTLM authentication */
     private boolean tryTransparentNTLMServer = true;
     private boolean tryTransparentNTLMProxy = true;
+    private boolean useProxyResponseCode = false;
 
     /* Used by Windows specific code */
     private Object authObj;
@@ -2243,6 +2244,14 @@
                         if (tryTransparentNTLMProxy) {
                             tryTransparentNTLMProxy =
                                     NTLMAuthenticationProxy.supportsTransparentAuth;
+                            /* If the platform supports transparent authentication
+                             * then normally it's ok to do transparent auth to a proxy
+                             * because we generally trust proxies (chosen by the user)
+                             * But not in the case of 305 response where the server
+                             * chose it. */
+                            if (tryTransparentNTLMProxy && useProxyResponseCode) {
+                                tryTransparentNTLMProxy = false;
+                            }
                         }
                         a = null;
                         if (tryTransparentNTLMProxy) {
@@ -2614,6 +2623,10 @@
             requests.set(0, method + " " + getRequestURI()+" "  +
                              httpVersion, null);
             connected = true;
+            // need to remember this in case NTLM proxy authentication gets
+            // used. We can't use transparent authentication when user
+            // doesn't know about proxy.
+            useProxyResponseCode = true;
         } else {
             // maintain previous headers, just change the name
             // of the file we're getting