8372731: Detailed authentication failure messages

Reviewed-by: dfuchs, michaelm

Author: djelinski

src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package sun.net.www.protocol.http;
 
+import java.io.IOException;
 import java.net.PasswordAuthentication;
 import java.net.URL;
 import java.util.HashMap;
@@ -428,9 +429,10 @@ public String getHeaderName() {
      * @param conn The connection to apply the header(s) to
      * @param p A source of header values for this connection, if needed.
      * @param raw The raw header field (if needed)
-     * @return true if all goes well, false if no headers were set.
+     * @throws IOException if no headers were set
      */
-    public abstract boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw);
+    public abstract void setHeaders(HttpURLConnection conn, HeaderParser p, String raw)
+            throws IOException;
 
     /**
      * Check if the header indicates that the current auth. parameters are stale.

src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -125,15 +125,13 @@ public boolean supportsPreemptiveAuthorization() {
      * @param conn The connection to apply the header(s) to
      * @param p A source of header values for this connection, if needed.
      * @param raw The raw header values for this connection, if needed.
-     * @return true if all goes well, false if no headers were set.
      */
     @Override
-    public boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
+    public void setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
         // no need to synchronize here:
         //   already locked by s.n.w.p.h.HttpURLConnection
         assert conn.isLockHeldByCurrentThread();
         conn.setAuthenticationProperty(getHeaderName(), getHeaderValue(null,null));
-        return true;
     }
 
     /**

src/java.base/share/classes/sun/net/www/protocol/http/DigestAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -321,7 +321,11 @@ public boolean supportsPreemptiveAuthorization() {
      */
     @Override
     public String getHeaderValue(URL url, String method) {
-        return getHeaderValueImpl(url.getFile(), method);
+        try {
+            return getHeaderValueImpl(url.getFile(), method);
+        } catch (IOException _) {
+            return null;
+        }
     }
 
     /**
@@ -339,7 +343,11 @@ public String getHeaderValue(URL url, String method) {
      * @return the value of the HTTP header this authentication wants set
      */
     String getHeaderValue(String requestURI, String method) {
-        return getHeaderValueImpl(requestURI, method);
+        try {
+            return getHeaderValueImpl(requestURI, method);
+        } catch (IOException _) {
+            return null;
+        }
     }
 
     /**
@@ -369,25 +377,26 @@ public boolean isAuthorizationStale (String header) {
      * @param conn The connection to apply the header(s) to
      * @param p A source of header values for this connection, if needed.
      * @param raw Raw header values for this connection, if needed.
-     * @return true if all goes well, false if no headers were set.
+     * @throws IOException if no headers were set
      */
     @Override
-    public boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
+    public void setHeaders(HttpURLConnection conn, HeaderParser p, String raw)
+            throws IOException {
         // no need to synchronize here:
         //   already locked by s.n.w.p.h.HttpURLConnection
         assert conn.isLockHeldByCurrentThread();
 
         params.setNonce (p.findValue("nonce"));
         params.setOpaque (p.findValue("opaque"));
         params.setQop (p.findValue("qop"));
-        params.setUserhash (Boolean.valueOf(p.findValue("userhash")));
+        params.setUserhash (Boolean.parseBoolean(p.findValue("userhash")));
         String charset = p.findValue("charset");
         if (charset == null) {
             charset = "ISO_8859_1";
         } else if (!charset.equalsIgnoreCase("UTF-8")) {
             // UTF-8 is only valid value. ISO_8859_1 represents default behavior
             // when the parameter is not set.
-            return false;
+            throw new IOException("Illegal charset in header");
         }
         params.setCharset(charset.toUpperCase(Locale.ROOT));
 
@@ -405,7 +414,7 @@ public boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
         }
 
         if (params.nonce == null || authMethod == null || pw == null || realm == null) {
-            return false;
+            throw new IOException("Server challenge incomplete");
         }
         if (authMethod.length() >= 1) {
             // Method seems to get converted to all lower case elsewhere.
@@ -415,8 +424,7 @@ public boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
                         + authMethod.substring(1).toLowerCase(Locale.ROOT);
         }
 
-        if (!setAlgorithmNames(p, params))
-            return false;
+        setAlgorithmNames(p, params);
 
         // If authQop is true, then the server is doing RFC2617 and
         // has offered qop=auth. We do not support any other modes
@@ -426,20 +434,17 @@ public boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
             params.setNewCnonce();
         }
 
-        String value = getHeaderValueImpl (uri, method);
-        if (value != null) {
-            conn.setAuthenticationProperty(getHeaderName(), value);
-            return true;
-        } else {
-            return false;
-        }
+        String value = getHeaderValueImpl(uri, method);
+        assert value != null;
+        conn.setAuthenticationProperty(getHeaderName(), value);
     }
 
     // Algorithm name is stored in two separate fields (of Paramaeters)
     // This allows for variations in digest algorithm name (aliases)
     // and also allow for the -sess variant defined in HTTP Digest protocol
-    // returns false if algorithm not supported
-    private static boolean setAlgorithmNames(HeaderParser p, Parameters params) {
+    // throws IOException if algorithm not supported
+    private static void setAlgorithmNames(HeaderParser p, Parameters params)
+            throws IOException {
         String algorithm = p.findValue("algorithm");
         String digestName = algorithm;
         if (algorithm == null || algorithm.isEmpty()) {
@@ -459,18 +464,17 @@ private static boolean setAlgorithmNames(HeaderParser p, Parameters params) {
         var oid = KnownOIDs.findMatch(digestName);
         if (oid == null) {
             log("unknown algorithm: " + algorithm);
-            return false;
+            throw new IOException("Unknown algorithm: " + algorithm);
         }
         digestName = oid.stdName();
         params.setAlgorithm (algorithm);
         params.setDigestName (digestName);
-        return true;
     }
 
     /* Calculate the Authorization header field given the request URI
      * and based on the authorization information in params
      */
-    private String getHeaderValueImpl (String uri, String method) {
+    private String getHeaderValueImpl (String uri, String method) throws IOException {
         String response;
         char[] passwd = pw.getPassword();
         boolean qop = params.authQop();
@@ -479,11 +483,7 @@ private String getHeaderValueImpl (String uri, String method) {
         String nonce = params.getNonce ();
         String algorithm = params.getAlgorithm ();
         String digest = params.getDigestName ();
-        try {
-            validateDigest(digest);
-        } catch (IOException e) {
-            return null;
-        }
+        validateDigest(digest);
         Charset charset = params.getCharset();
         boolean userhash = params.getUserhash ();
         params.incrementNC ();
@@ -505,7 +505,7 @@ private String getHeaderValueImpl (String uri, String method) {
                                         digest, session, charset);
         } catch (CharacterCodingException | NoSuchAlgorithmException ex) {
             log(ex.getMessage());
-            return null;
+            throw new IOException("Failed to compute digest", ex);
         }
 
         String ncfield = "\"";
@@ -534,7 +534,7 @@ private String getHeaderValueImpl (String uri, String method) {
             }
         } catch (CharacterCodingException | NoSuchAlgorithmException ex) {
             log(ex.getMessage());
-            return null;
+            throw new IOException("Failed to compute user hash", ex);
         }
 
         String value = authMethod

src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java

@@ -61,6 +61,7 @@
 import java.util.StringJoiner;
 import jdk.internal.access.JavaNetHttpCookieAccess;
 import jdk.internal.access.SharedSecrets;
+import jdk.internal.util.Exceptions;
 import sun.net.NetProperties;
 import sun.net.NetworkClient;
 import sun.net.util.IPAddressUtil;
@@ -1469,16 +1470,29 @@ private InputStream getInputStream0() throws IOException {
                         /* in this case, only one header field will be present */
                         String raw = responses.findValue ("Proxy-Authenticate");
                         reset ();
-                        if (!proxyAuthentication.setHeaders(this,
-                                                        authhdr.headerParser(), raw)) {
+                        try {
+                            proxyAuthentication.setHeaders(this,
+                                    authhdr.headerParser(), raw);
+                        } catch (IOException ex) {
                             disconnectInternal();
-                            throw new IOException ("Authentication failure");
+                            if (Exceptions.enhancedNonSocketExceptions()) {
+                                throw new IOException ("Authentication failure", ex);
+                            } else {
+                                throw new IOException ("Authentication failure");
+                            }
                         }
-                        if (serverAuthentication != null && srvHdr != null &&
-                                !serverAuthentication.setHeaders(this,
-                                                        srvHdr.headerParser(), raw)) {
-                            disconnectInternal ();
-                            throw new IOException ("Authentication failure");
+                        if (serverAuthentication != null && srvHdr != null) {
+                            try {
+                                serverAuthentication.setHeaders(this,
+                                        srvHdr.headerParser(), raw);
+                            } catch (IOException ex) {
+                                disconnectInternal();
+                                if (Exceptions.enhancedNonSocketExceptions()) {
+                                    throw new IOException ("Authentication failure", ex);
+                                } else {
+                                    throw new IOException ("Authentication failure");
+                                }
+                            }
                         }
                         authObj = null;
                         doingNTLMp2ndStage = false;
@@ -1557,9 +1571,15 @@ private InputStream getInputStream0() throws IOException {
                     } else {
                         reset ();
                         /* header not used for ntlm */
-                        if (!serverAuthentication.setHeaders(this, null, raw)) {
+                        try {
+                            serverAuthentication.setHeaders(this, null, raw);
+                        } catch (IOException ex) {
                             disconnectWeb();
-                            throw new IOException ("Authentication failure");
+                            if (Exceptions.enhancedNonSocketExceptions()) {
+                                throw new IOException ("Authentication failure", ex);
+                            } else {
+                                throw new IOException ("Authentication failure");
+                            }
                         }
                         doingNTLM2ndStage = false;
                         authObj = null;
@@ -1935,10 +1955,16 @@ private void doTunneling0() throws IOException {
                     } else {
                         String raw = responses.findValue ("Proxy-Authenticate");
                         reset ();
-                        if (!proxyAuthentication.setHeaders(this,
-                                                authhdr.headerParser(), raw)) {
+                        try {
+                            proxyAuthentication.setHeaders(this,
+                                    authhdr.headerParser(), raw);
+                        } catch (IOException ex) {
                             disconnectInternal();
-                            throw new IOException ("Authentication failure");
+                            if (Exceptions.enhancedNonSocketExceptions()) {
+                                throw new IOException ("Authentication failure", ex);
+                            } else {
+                                throw new IOException ("Authentication failure");
+                            }
                         }
                         authObj = null;
                         doingNTLMp2ndStage = false;
@@ -2201,7 +2227,9 @@ yield new DigestAuthentication(true, host, port, realm,
                 };
             }
             if (ret != null) {
-                if (!ret.setHeaders(this, p, raw)) {
+                try {
+                    ret.setHeaders(this, p, raw);
+                } catch (IOException e) {
                     ret.disposeContext();
                     ret = null;
                 }
@@ -2358,7 +2386,9 @@ private AuthenticationInfo getServerAuthentication(AuthenticationHeader authhdr)
                 }
             }
             if (ret != null ) {
-                if (!ret.setHeaders(this, p, raw)) {
+                try {
+                    ret.setHeaders(this, p, raw);
+                } catch (IOException e) {
                     ret.disposeContext();
                     ret = null;
                 }

src/java.base/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -168,29 +168,24 @@ public boolean isAuthorizationStale (String header) {
      * @param p A source of header values for this connection, not used because
      *          HeaderParser converts the fields to lower case, use raw instead
      * @param raw The raw header field.
-     * @return true if all goes well, false if no headers were set.
+     * @throws IOException if no headers were set
      */
     @Override
-    public boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
+    public void setHeaders(HttpURLConnection conn, HeaderParser p, String raw) throws IOException {
         // no need to synchronize here:
         //   already locked by s.n.w.p.h.HttpURLConnection
         assert conn.isLockHeldByCurrentThread();
 
-        try {
-            String response;
-            byte[] incoming = null;
-            String[] parts = raw.split("\\s+");
-            if (parts.length > 1) {
-                incoming = Base64.getDecoder().decode(parts[1]);
-            }
-            response = hci.scheme + " " + Base64.getEncoder().encodeToString(
-                        incoming==null?firstToken():nextToken(incoming));
-
-            conn.setAuthenticationProperty(getHeaderName(), response);
-            return true;
-        } catch (IOException e) {
-            return false;
+        String response;
+        byte[] incoming = null;
+        String[] parts = raw.split("\\s+");
+        if (parts.length > 1) {
+            incoming = Base64.getDecoder().decode(parts[1]);
         }
+        response = hci.scheme + " " + Base64.getEncoder().encodeToString(
+                    incoming==null?firstToken():nextToken(incoming));
+
+        conn.setAuthenticationProperty(getHeaderName(), response);
     }
 
     /**