changeset 11279:dd66a3cbbbff

8048035: Ensure proper proxy protocols Reviewed-by: alanb, chegar
author michaelm
date Wed, 10 Sep 2014 10:33:43 +0100
parents 480ecd26b4e3
children 3071309ab5a2
files src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
diffstat 1 files changed, 14 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Fri Aug 29 20:16:35 2014 -0700
+++ b/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java	Wed Sep 10 10:33:43 2014 +0100
@@ -337,6 +337,7 @@
     /* try auth without calling Authenticator. Used for transparent NTLM authentication */
     private boolean tryTransparentNTLMServer = true;
     private boolean tryTransparentNTLMProxy = true;
+    private boolean useProxyResponseCode = false;
 
     /* Used by Windows specific code */
     private Object authObj;
@@ -2239,6 +2240,15 @@
                         if (tryTransparentNTLMProxy) {
                             tryTransparentNTLMProxy =
                                     NTLMAuthenticationProxy.supportsTransparentAuth;
+                            /* If the platform supports transparent authentication
+                             * then normally it's ok to do transparent auth to a proxy
+                                         * because we generally trust proxies (chosen by the user)
+                                         * But not in the case of 305 response where the server
+                             * chose it. */
+                            if (tryTransparentNTLMProxy && useProxyResponseCode) {
+                                tryTransparentNTLMProxy = false;
+                            }
+
                         }
                         a = null;
                         if (tryTransparentNTLMProxy) {
@@ -2610,6 +2620,10 @@
             requests.set(0, method + " " + getRequestURI()+" "  +
                              httpVersion, null);
             connected = true;
+            // need to remember this in case NTLM proxy authentication gets
+            // used. We can't use transparent authentication when user
+            // doesn't know about proxy.
+            useProxyResponseCode = true;
         } else {
             // maintain previous headers, just change the name
             // of the file we're getting