8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED

[Michael-Mc-Mahon]

Hi,

The fix for the reported bug in Utils.CONTEXT_RESTRICTED caused a couple of regression failures, which turned out to be another bug exposed by this fix where HTTP/1.1 CONNECT requests with authentication were filtering out proxy authentication headers wrongly. This was because the HttpRequestImpl created for the repeated CONNECT was putting the system headers in the user headers area of the HttpRequestImpl. The fix for that is to supply the user and system headers direct to the place where the new HttpRequestImpl is created.

Thanks
Michael

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED

Reviewers

• Daniel Fuchs (@dfuch - Reviewer) ⚠️ Review applies to 6900f5d

Download

To checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/2977/head:pull/2977
$ git checkout pull/2977

To update a local copy of the PR:
$ git checkout pull/2977
$ git pull https://git.openjdk.java.net/jdk pull/2977/head

[bridgekeeper]

👋 Welcome back michaelm! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@Michael-Mc-Mahon The following label will be automatically applied to this pull request:

• net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 03: Full - Incremental (7d85809)
• 02: Full - Incremental (6900f5d)
• 01: Full - Incremental (0bcaa25)
• 00: Full (b73dfb7)

[dfuch]

I am a bit concerned by that. It shows that without your fix preemptive authentication would have worked, as the server would have received the authorization header.

I did a bit of an experiment - and it seems that with proxy-authorization you would get an IOException (with or without your fix). So it seems that without your fix we are unwillingly currently supporting user preemptive authentication (for servers) in the presence of an authenticator, but not for proxies. With your fix, neither will be supported.

Is that the right thing to do?

[Michael-Mc-Mahon]

What I am seeing is that if no authenticator set, whether the fix is present or not, an "Authorization" header is passed through, but a "Proxy-Authorization" header is filtered. So, that is a different issue. It probably is a bug though.

[Michael-Mc-Mahon]

I've updated the test to test the proxy authorization case

[dfuch]

Don't you need to set -Djdk.http.auth.proxying.disabledSchemes="" on the command line to have a chance that Proxy-Authorization will be forwarded?

[dfuch]

Don't you need to set -Djdk.http.auth.proxying.disabledSchemes="" on the command line to have a chance that Proxy-Authorization will be forwarded?

[openjdk]

@Michael-Mc-Mahon This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8263442: Potential bug in jdk.internal.net.http.common.Utils.CONTEXT_RESTRICTED

Reviewed-by: dfuchs

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 77 new commits pushed to the master branch:

• 5bc382f: 8263976: Remove block allocation from BasicHashtable
• fbd57bd: 8263260: [s390] Support latest hardware (z14 and z15)
• de2ff25: 8263974: Move SystemDictionary::verify_protection_domain
• 9dad857: 8263080: Obsolete relationship in MulticastSocket API documentation.
• 851474a: 8263649: AArch64: update cas.m4 to match current AD file
• fd3a33a: 8263189: C2: assert(!had_error) failed: bad dominance
• 7b81f8e: 8263915: runtime/cds/appcds/MismatchedPathTriggerMemoryRelease.java fails when UseCompressedClassPointers is off
• 2da882c: 8262465: Very long compilation times and high memory consumption in C2 debug builds
• 0b03d04: 8167015: compiler/codecache/jmx/PoolsIndependenceTest.java timeout
• df01b15: 8263977: GTK L&F: Cleanup duplicate checks in GTKStyle and GTKLookAndFeel
• ... and 67 more: https://git.openjdk.java.net/jdk/compare/ff52f2989fd60ec8251eaf76f4c4b78f10d3e048...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[dfuch]

You should probably set NO_PROXY otherwise to avoid the default proxy selector on mac.

[Michael-Mc-Mahon]

For the non-proxy case? Good idea.

Regarding the question above about the -Djdk.http.auth.proxying.disabledSchemes="" setting. The test fails for both server and proxy auth without this change (and without having to set that property).

[dfuch]

Maybe the test should be guarded in case the machine is IPv6 only

[Michael-Mc-Mahon]

Okay, will fix that too.

[Michael-Mc-Mahon]

/integrate

[openjdk]

@Michael-Mc-Mahon Since your change was applied there have been 79 commits pushed to the master branch:

• 2335362: 8264032: Improve thread safety of Runtime.version()
• 8c1ab38: 8263766: Confusing specification of JEditorPaneAccessibleHypertextSupport constructor
• 5bc382f: 8263976: Remove block allocation from BasicHashtable
• fbd57bd: 8263260: [s390] Support latest hardware (z14 and z15)
• de2ff25: 8263974: Move SystemDictionary::verify_protection_domain
• 9dad857: 8263080: Obsolete relationship in MulticastSocket API documentation.
• 851474a: 8263649: AArch64: update cas.m4 to match current AD file
• fd3a33a: 8263189: C2: assert(!had_error) failed: bad dominance
• 7b81f8e: 8263915: runtime/cds/appcds/MismatchedPathTriggerMemoryRelease.java fails when UseCompressedClassPointers is off
• 2da882c: 8262465: Very long compilation times and high memory consumption in C2 debug builds
• ... and 69 more: https://git.openjdk.java.net/jdk/compare/ff52f2989fd60ec8251eaf76f4c4b78f10d3e048...master

Your commit was automatically rebased without conflicts.

Pushed as commit bd7a184.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.