JDK-8323292 : Improper handling of Proxy-Authorization header
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 11
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2024-01-04
  • Updated: 2025-10-07
Related Reports
Relates :  
JDK-8263442 - Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED
Description
A DESCRIPTION OF THE PROBLEM :
In jdk.internal.net.http.common.Utils, the code says:
public static final BiPredicate<String, String> CONTEXT_RESTRICTED(HttpClient client) {
        return (k, v) -> client.authenticator() == null ||
                ! (k.equalsIgnoreCase("Authorization")
                        && k.equalsIgnoreCase("Proxy-Authorization"));
    }

But client.authenticator() returns an Optional and thus cannot be null.
This has been fixed in master by the following code:
public static final BiPredicate<String, String> CONTEXT_RESTRICTED(HttpClient client) {
        return (k, v) -> client.authenticator().isEmpty() ||
                ! (k.equalsIgnoreCase("Authorization")
                        && k.equalsIgnoreCase("Proxy-Authorization"));
    }

But unfortunately the code hasn't been backported to JDK 11

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to implement proxy authentication using JDK 11 HttpClient

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Proxy Authentication should work
ACTUAL -
Proxy Authentication doesn't work
Comments
Additional information received from the submitter: " Option 1: HttpClient.Builder httpClientBuilder = HttpClient.newBuilder(); httpClientBuilder.proxy(ProxySelector.of(new InetSocketAddress(proxyHost, proxyPort))); var httpClient=httpClientBuilder.build(); var httpRequest=HttpRequest.newBuilder(URI.create(url)).setHeader("Proxy-Authorization", getAuthHeader(proxyLogin, proxyPassword)).GET("https://www.google.com/").build(); httpClient.sendAsync(request,HttpResponse.BodyHandlers.ofString()); Option 2: HttpClient.Builder httpClientBuilder = HttpClient.newBuilder(); httpClientBuilder.proxy(ProxySelector.of(new InetSocketAddress(proxyHost, proxyPort))); Authenticator authenticator = new Authenticator() { @Override public PasswordAuthentication getPasswordAuthentication() { return new PasswordAuthentication(proxyLogin, proxyPassword.toCharArray()); } }; httpClientBuilder.authenticator(authenticator); var httpClient=httpClientBuilder.build(); var httpRequest=HttpRequest.newBuilder(URI.create(url)).GET("https://www.google.com/").build(); httpClient.sendAsync(request,HttpResponse.BodyHandlers.ofString()); "
09-01-2024