Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED #2977

Closed
wants to merge 6 commits into from

Conversation

@Michael-Mc-Mahon
Copy link
Member

@Michael-Mc-Mahon Michael-Mc-Mahon commented Mar 12, 2021

Hi,

The fix for the reported bug in Utils.CONTEXT_RESTRICTED caused a couple of regression failures, which turned out to be another bug exposed by this fix where HTTP/1.1 CONNECT requests with authentication were filtering out proxy authentication headers wrongly. This was because the HttpRequestImpl created for the repeated CONNECT was putting the system headers in the user headers area of the HttpRequestImpl. The fix for that is to supply the user and system headers direct to the place where the new HttpRequestImpl is created.

Thanks
Michael


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED

Reviewers

Download

To checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/2977/head:pull/2977
$ git checkout pull/2977

To update a local copy of the PR:
$ git checkout pull/2977
$ git pull https://git.openjdk.java.net/jdk pull/2977/head

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Mar 12, 2021

👋 Welcome back michaelm! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr label Mar 12, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Mar 12, 2021

@Michael-Mc-Mahon The following label will be automatically applied to this pull request:

  • net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the net label Mar 12, 2021
@mlbridge
Copy link

@mlbridge mlbridge bot commented Mar 12, 2021

if (reqh.containsKey("authorization")) {
e.sendResponseHeaders(500, -1);
Copy link
Member

@dfuch dfuch Mar 15, 2021

I am a bit concerned by that. It shows that without your fix preemptive authentication would have worked, as the server would have received the authorization header.

I did a bit of an experiment - and it seems that with proxy-authorization you would get an IOException (with or without your fix). So it seems that without your fix we are unwillingly currently supporting user preemptive authentication (for servers) in the presence of an authenticator, but not for proxies. With your fix, neither will be supported.

Is that the right thing to do?

Copy link
Member Author

@Michael-Mc-Mahon Michael-Mc-Mahon Mar 15, 2021

What I am seeing is that if no authenticator set, whether the fix is present or not, an "Authorization" header is passed through, but a "Proxy-Authorization" header is filtered. So, that is a different issue. It probably is a bug though.

Copy link
Member Author

@Michael-Mc-Mahon Michael-Mc-Mahon Mar 22, 2021

I've updated the test to test the proxy authorization case

Copy link
Member

@dfuch dfuch Mar 23, 2021

Don't you need to set -Djdk.http.auth.proxying.disabledSchemes="" on the command line to have a chance that Proxy-Authorization will be forwarded?

dfuch
dfuch approved these changes Mar 23, 2021
if (reqh.containsKey("authorization")) {
e.sendResponseHeaders(500, -1);
Copy link
Member

@dfuch dfuch Mar 23, 2021

Don't you need to set -Djdk.http.auth.proxying.disabledSchemes="" on the command line to have a chance that Proxy-Authorization will be forwarded?

@openjdk
Copy link

@openjdk openjdk bot commented Mar 23, 2021

@Michael-Mc-Mahon This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED

Reviewed-by: dfuchs

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 77 new commits pushed to the master branch:

  • 5bc382f: 8263976: Remove block allocation from BasicHashtable
  • fbd57bd: 8263260: [s390] Support latest hardware (z14 and z15)
  • de2ff25: 8263974: Move SystemDictionary::verify_protection_domain
  • 9dad857: 8263080: Obsolete relationship in MulticastSocket API documentation.
  • 851474a: 8263649: AArch64: update cas.m4 to match current AD file
  • fd3a33a: 8263189: C2: assert(!had_error) failed: bad dominance
  • 7b81f8e: 8263915: runtime/cds/appcds/MismatchedPathTriggerMemoryRelease.java fails when UseCompressedClassPointers is off
  • 2da882c: 8262465: Very long compilation times and high memory consumption in C2 debug builds
  • 0b03d04: 8167015: compiler/codecache/jmx/PoolsIndependenceTest.java timeout
  • df01b15: 8263977: GTK L&F: Cleanup duplicate checks in GTKStyle and GTKLookAndFeel
  • ... and 67 more: https://git.openjdk.java.net/jdk/compare/ff52f2989fd60ec8251eaf76f4c4b78f10d3e048...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready label Mar 23, 2021

if (useProxy) {
builder.proxy(ProxySelector.of(proxyAddr));
}
Copy link
Member

@dfuch dfuch Mar 23, 2021

You should probably set NO_PROXY otherwise to avoid the default proxy selector on mac.

Copy link
Member Author

@Michael-Mc-Mahon Michael-Mc-Mahon Mar 23, 2021

For the non-proxy case? Good idea.

Regarding the question above about the -Djdk.http.auth.proxying.disabledSchemes="" setting. The test fails for both server and proxy auth without this change (and without having to set that property).

String authHdr;
if (useProxy) {
proxy = new ProxyServer();
proxyAddr = new InetSocketAddress("127.0.0.1", proxy.getPort());
Copy link
Member

@dfuch dfuch Mar 23, 2021

Maybe the test should be guarded in case the machine is IPv6 only

Copy link
Member Author

@Michael-Mc-Mahon Michael-Mc-Mahon Mar 23, 2021

Okay, will fix that too.

@Michael-Mc-Mahon
Copy link
Member Author

@Michael-Mc-Mahon Michael-Mc-Mahon commented Mar 23, 2021

/integrate

@openjdk openjdk bot closed this Mar 23, 2021
@openjdk openjdk bot added integrated and removed ready rfr labels Mar 23, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Mar 23, 2021

@Michael-Mc-Mahon Since your change was applied there have been 79 commits pushed to the master branch:

  • 2335362: 8264032: Improve thread safety of Runtime.version()
  • 8c1ab38: 8263766: Confusing specification of JEditorPaneAccessibleHypertextSupport constructor
  • 5bc382f: 8263976: Remove block allocation from BasicHashtable
  • fbd57bd: 8263260: [s390] Support latest hardware (z14 and z15)
  • de2ff25: 8263974: Move SystemDictionary::verify_protection_domain
  • 9dad857: 8263080: Obsolete relationship in MulticastSocket API documentation.
  • 851474a: 8263649: AArch64: update cas.m4 to match current AD file
  • fd3a33a: 8263189: C2: assert(!had_error) failed: bad dominance
  • 7b81f8e: 8263915: runtime/cds/appcds/MismatchedPathTriggerMemoryRelease.java fails when UseCompressedClassPointers is off
  • 2da882c: 8262465: Very long compilation times and high memory consumption in C2 debug builds
  • ... and 69 more: https://git.openjdk.java.net/jdk/compare/ff52f2989fd60ec8251eaf76f4c4b78f10d3e048...master

Your commit was automatically rebased without conflicts.

Pushed as commit bd7a184.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@Michael-Mc-Mahon Michael-Mc-Mahon deleted the 8263442 branch Mar 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants