# HG changeset patch # User dfuchs # Date 1517415521 0 # Node ID 352e845ae74427194b61bf5e9e0d8a3db7581a6e # Parent 8588095e95b0539082cbc22926cb25ba84b28246 http-client-branch: honor legacy jdk.http.auth.* property when handling proxy-authorization diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/AuthenticationFilter.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/AuthenticationFilter.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/AuthenticationFilter.java Wed Jan 31 16:18:41 2018 +0000 @@ -34,8 +34,11 @@ import java.net.URL; import java.util.Base64; import java.util.LinkedList; +import java.util.List; import java.util.Objects; import java.util.WeakHashMap; + +import jdk.incubator.http.internal.common.Log; import jdk.incubator.http.internal.common.Utils; import static java.net.Authenticator.RequestorType.PROXY; import static java.net.Authenticator.RequestorType.SERVER; @@ -56,6 +59,10 @@ static final int UNAUTHORIZED = 401; static final int PROXY_UNAUTHORIZED = 407; + private static final List BASIC_DUMMY = + List.of("Basic " + Base64.getEncoder() + .encodeToString("o:o".getBytes(ISO_8859_1))); + // A public no-arg constructor is required by FilterFactory public AuthenticationFilter() {} @@ -157,6 +164,21 @@ sb.append(pw.getUserName()).append(':').append(pw.getPassword()); String s = encoder.encodeToString(sb.toString().getBytes(ISO_8859_1)); String value = "Basic " + s; + if (proxy) { + if (r.isConnect()) { + if (!Utils.PROXY_TUNNEL_FILTER + .test(hdrname, List.of(value))) { + Log.logError("{0} disabled", hdrname); + return; + } + } else if (r.proxy() != null) { + if (!Utils.PROXY_FILTER + .test(hdrname, List.of(value))) { + Log.logError("{0} disabled", hdrname); + return; + } + } + } r.setSystemHeader(hdrname, value); } @@ -232,6 +254,22 @@ return null; // error gets returned to app } + if (proxy) { + if (r.isConnectResponse) { + if (!Utils.PROXY_TUNNEL_FILTER + .test("Proxy-Authorization", BASIC_DUMMY)) { + Log.logError("{0} disabled", "Proxy-Authorization"); + return null; + } + } else if (req.proxy() != null) { + if (!Utils.PROXY_FILTER + .test("Proxy-Authorization", BASIC_DUMMY)) { + Log.logError("{0} disabled", "Proxy-Authorization"); + return null; + } + } + } + AuthInfo au = proxy ? exchange.proxyauth : exchange.serverauth; if (au == null) { // if no authenticator, let the user deal with 407/401 diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Exchange.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Exchange.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Exchange.java Wed Jan 31 16:18:41 2018 +0000 @@ -308,7 +308,8 @@ bodyIgnored = MinimalFuture.completedFuture(null); Response proxyResponse = ((ProxyAuthenticationRequired)t).proxyResponse; Response syntheticResponse = new Response(request, this, - proxyResponse.headers, proxyResponse.statusCode, proxyResponse.version); + proxyResponse.headers, proxyResponse.statusCode, + proxyResponse.version, true); return MinimalFuture.completedFuture(syntheticResponse); } else if (t != null) { return MinimalFuture.failedFuture(t); diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Http1Request.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Http1Request.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Http1Request.java Wed Jan 31 16:18:41 2018 +0000 @@ -35,8 +35,7 @@ import java.net.InetSocketAddress; import java.util.Objects; import java.util.concurrent.Flow; -import java.util.function.Predicate; - +import java.util.function.BiPredicate; import jdk.incubator.http.Http1Exchange.Http1BodySubscriber; import jdk.incubator.http.internal.common.HttpHeadersImpl; import jdk.incubator.http.internal.common.Log; @@ -82,9 +81,10 @@ } } + private void collectHeaders0(StringBuilder sb) { - Predicate filter = connection.isTunnel() - ? Utils.NO_PROXY_HEADER : Utils.ALL_HEADERS; + BiPredicate> filter = + connection.headerFilter(request); // If we're sending this request through a tunnel, // then don't send any preemptive proxy-* headers that @@ -99,11 +99,12 @@ sb.append("\r\n"); } - private void collectHeaders1(StringBuilder sb, HttpHeaders headers, Predicate filter) { + private void collectHeaders1(StringBuilder sb, HttpHeaders headers, + BiPredicate> filter) { for (Map.Entry> entry : headers.map().entrySet()) { String key = entry.getKey(); - if (!filter.test(key)) continue; List values = entry.getValue(); + if (!filter.test(key, values)) continue; for (String value : values) { sb.append(key).append(": ").append(value).append("\r\n"); } diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/HttpConnection.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/HttpConnection.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/HttpConnection.java Wed Jan 31 16:18:41 2018 +0000 @@ -40,6 +40,7 @@ import java.util.concurrent.CompletionStage; import java.util.concurrent.ConcurrentLinkedDeque; import java.util.concurrent.Flow; +import java.util.function.BiPredicate; import java.util.function.Predicate; import jdk.incubator.http.HttpClient.Version; import jdk.incubator.http.internal.common.Demand; @@ -218,20 +219,68 @@ HttpClientImpl client) { if (proxy != null) return new AsyncSSLTunnelConnection(addr, client, alpn, proxy, - proxyHeaders(request)); + proxyTunnelHeaders(request)); else return new AsyncSSLConnection(addr, client, alpn); } + /** + * This method is used to build a filter that will accept or + * veto (header-name, value) tuple for transmission on the + * wire. + * The filter is applied to the headers when sending the headers + * to the remote party. + * Which tuple is accepted/vetoed depends on: + * 
+     *    - whether the connection is a tunnel connection
+     *      [talking to a server through a proxy tunnel]
+     *    - whether the method is CONNECT
+     *      [establishing a CONNECT tunnel through a proxy]
+     *    - whether the request is using a proxy
+     *      (and the connection is not a tunnel)
+     *      [talking to a server through a proxy]
+     *    - whether the request is a direct connection to
+     *      a server (no tunnel, no proxy).
+     *
+ * @param request + * @return + */ + BiPredicate> headerFilter(HttpRequestImpl request) { + if (isTunnel()) { + // talking to a server through a proxy tunnel + // don't send proxy-* headers to a plain server + assert !request.isConnect(); + return Utils.NO_PROXY_HEADERS_FILTER; + } else if (request.isConnect()) { + // establishing a proxy tunnel + // check for proxy tunnel disabled schemes + // assert !this.isTunnel(); + assert request.proxy() == null; + return Utils.PROXY_TUNNEL_FILTER; + } else if (request.proxy() != null) { + // talking to a server through a proxy (no tunnel) + // check for proxy disabled schemes + // assert !isTunnel() && !request.isConnect(); + return Utils.PROXY_FILTER; + } else { + // talking to a server directly (no tunnel, no proxy) + // don't send proxy-* headers to a plain server + // assert request.proxy() == null && !request.isConnect(); + return Utils.NO_PROXY_HEADERS_FILTER; + } + } + // Composes a new immutable HttpHeaders that combines the // user and system header but only keeps those headers that // start with "proxy-" - private static HttpHeaders proxyHeaders(HttpRequestImpl request) { + private static HttpHeaders proxyTunnelHeaders(HttpRequestImpl request) { Map> combined = new TreeMap<>(String.CASE_INSENSITIVE_ORDER); combined.putAll(request.getSystemHeaders().map()); combined.putAll(request.headers().map()); // let user override system - // keep only proxy-* - return ImmutableHeaders.of(combined, Utils.IS_PROXY_HEADER); + + // keep only proxy-* - and also strip authorization headers + // for disabled schemes + return ImmutableHeaders.of(combined, Utils.PROXY_TUNNEL_FILTER); } /* Returns either a plain HTTP connection or a plain tunnelling connection @@ -242,7 +291,7 @@ HttpClientImpl client) { if (request.isWebSocket() && proxy != null) return new PlainTunnelingConnection(addr, proxy, client, - proxyHeaders(request)); + proxyTunnelHeaders(request)); if (proxy == null) return new PlainHttpConnection(addr, client); diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/HttpRequestImpl.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/HttpRequestImpl.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/HttpRequestImpl.java Wed Jan 31 16:18:41 2018 +0000 @@ -165,6 +165,10 @@ this.version = Optional.of(HttpClient.Version.HTTP_1_1); } + final boolean isConnect() { + return "CONNECT".equalsIgnoreCase(method); + } + /** * Creates a HttpRequestImpl from the given set of Headers and the associated * "parent" request. Fields not taken from the headers are taken from the diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/ImmutableHeaders.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/ImmutableHeaders.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/ImmutableHeaders.java Wed Jan 31 16:18:41 2018 +0000 @@ -29,6 +29,7 @@ import java.util.List; import java.util.Map; import java.util.TreeMap; +import java.util.function.BiPredicate; import java.util.function.Predicate; import static java.util.Collections.emptyMap; import static java.util.Collections.unmodifiableList; @@ -57,14 +58,21 @@ Predicate keyAllowed) { requireNonNull(src, "src"); requireNonNull(keyAllowed, "keyAllowed"); - return new ImmutableHeaders(src, keyAllowed); + return new ImmutableHeaders(src, headerAllowed(keyAllowed)); + } + + public static ImmutableHeaders of(Map> src, + BiPredicate> headerAllowed) { + requireNonNull(src, "src"); + requireNonNull(headerAllowed, "headerAllowed"); + return new ImmutableHeaders(src, headerAllowed); } private ImmutableHeaders(Map> src, - Predicate keyAllowed) { + BiPredicate> headerAllowed) { Map> m = new TreeMap<>(String.CASE_INSENSITIVE_ORDER); src.entrySet().stream() - .filter(e -> keyAllowed.test(e.getKey())) + .filter(e -> headerAllowed.test(e.getKey(), e.getValue())) .forEach(e -> { List values = new ArrayList<>(e.getValue()); @@ -74,6 +82,10 @@ this.map = unmodifiableMap(m); } + private static BiPredicate> headerAllowed(Predicate keyAllowed) { + return (n,v) -> keyAllowed.test(n); + } + @Override public Map> map() { return map; diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Response.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Response.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Response.java Wed Jan 31 16:18:41 2018 +0000 @@ -36,17 +36,29 @@ final HttpRequestImpl request; final Exchange exchange; final HttpClient.Version version; + final boolean isConnectResponse; Response(HttpRequestImpl req, Exchange exchange, HttpHeaders headers, int statusCode, HttpClient.Version version) { + this(req, exchange, headers, statusCode, version, + "CONNECT".equalsIgnoreCase(req.method())); + } + + Response(HttpRequestImpl req, + Exchange exchange, + HttpHeaders headers, + int statusCode, + HttpClient.Version version, + boolean isConnectResponse) { this.headers = headers; this.request = req; this.version = version; this.exchange = exchange; this.statusCode = statusCode; + this.isConnectResponse = isConnectResponse; } HttpRequestImpl request() { diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Stream.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Stream.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/Stream.java Wed Jan 31 16:18:41 2018 +0000 @@ -32,7 +32,6 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import java.util.Optional; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ConcurrentLinkedDeque; import java.util.concurrent.ConcurrentLinkedQueue; @@ -40,6 +39,7 @@ import java.util.concurrent.Flow; import java.util.concurrent.Flow.Subscription; import java.util.concurrent.atomic.AtomicReference; +import java.util.function.BiPredicate; import jdk.incubator.http.HttpResponse.BodySubscriber; import jdk.incubator.http.internal.common.*; import jdk.incubator.http.internal.frame.*; @@ -491,16 +491,45 @@ return f; } + private boolean hasProxyAuthorization(HttpHeaders headers) { + return headers.firstValue("proxy-authorization") + .isPresent(); + } + + // Determines whether we need to build a new HttpHeader object. + // + // Ideally we should pass the filter to OutgoingHeaders refactor the + // code that creates the HeaderFrame to honor the filter. + // We're not there yet - so depending on the filter we need to + // apply and the content of the header we will try to determine + // whether anything might need to be filtered. + // If nothing needs filtering then we can just use the + // original headers. + private boolean needsFiltering(HttpHeaders headers, + BiPredicate> filter) { + if (filter == Utils.PROXY_TUNNEL_FILTER || filter == Utils.PROXY_FILTER) { + // we're either connecting or proxying + // slight optimization: we only need to filter out + // disabled schemes, so if there are none just + // pass through. + return Utils.proxyHasDisabledSchemes(filter == Utils.PROXY_TUNNEL_FILTER) + && hasProxyAuthorization(headers); + } else { + // we're talking to a server, either directly or through + // a tunnel. + // Slight optimization: we only need to filter out + // proxy authorization headers, so if there are none just + // pass through. + return hasProxyAuthorization(headers); + } + } + private HttpHeaders filter(HttpHeaders headers) { - if (connection().isTunnel()) { - boolean needsFiltering = headers - .firstValue("proxy-authorization") - .isPresent(); - // don't send proxy-* headers to the target server. - if (needsFiltering) { - return ImmutableHeaders.of(headers.map(), - Utils.NO_PROXY_HEADER); - } + HttpConnection conn = connection(); + BiPredicate> filter = + conn.headerFilter(request); + if (needsFiltering(headers, filter)) { + return ImmutableHeaders.of(headers.map(), filter); } return headers; } diff -r 8588095e95b0 -r 352e845ae744 src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/internal/common/Utils.java --- a/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/internal/common/Utils.java Wed Jan 31 15:52:35 2018 +0000 +++ b/src/jdk.incubator.httpclient/share/classes/jdk/incubator/http/internal/common/Utils.java Wed Jan 31 16:18:41 2018 +0000 @@ -55,8 +55,10 @@ import java.util.TreeSet; import java.util.concurrent.CompletionException; import java.util.concurrent.ExecutionException; +import java.util.function.BiPredicate; import java.util.function.Predicate; import java.util.function.Supplier; +import java.util.stream.Collectors; import java.util.stream.Stream; import static java.util.stream.Collectors.joining; @@ -110,11 +112,80 @@ public static final Predicate ALLOWED_HEADERS = header -> !DISALLOWED_HEADERS_SET.contains(header); - public static final Predicate IS_PROXY_HEADER = (k) -> + private static final Predicate IS_PROXY_HEADER = (k) -> k != null && k.length() > 6 && "proxy-".equalsIgnoreCase(k.substring(0,6)); - public static final Predicate NO_PROXY_HEADER = + private static final Predicate NO_PROXY_HEADER = IS_PROXY_HEADER.negate(); - public static final Predicate ALL_HEADERS = (s) -> true; + private static final Predicate ALL_HEADERS = (s) -> true; + + private static final Set PROXY_AUTH_DISABLED_SCHEMES; + private static final Set PROXY_AUTH_TUNNEL_DISABLED_SCHEMES; + static { + String proxyAuthDisabled = + getNetProperty("jdk.http.auth.proxying.disabledSchemes"); + String proxyAuthTunnelDisabled = + getNetProperty("jdk.http.auth.tunneling.disabledSchemes"); + PROXY_AUTH_DISABLED_SCHEMES = + proxyAuthDisabled == null ? Set.of() : + Stream.of(proxyAuthDisabled.split(",")) + .map(String::trim) + .filter((s) -> !s.isEmpty()) + .collect(Collectors.toUnmodifiableSet()); + PROXY_AUTH_TUNNEL_DISABLED_SCHEMES = + proxyAuthTunnelDisabled == null ? Set.of() : + Stream.of(proxyAuthTunnelDisabled.split(",")) + .map(String::trim) + .filter((s) -> !s.isEmpty()) + .collect(Collectors.toUnmodifiableSet()); + } + + private static final String WSPACES = " \t\r\n"; + private static final boolean isAllowedForProxy(String name, + List value, + Set disabledSchemes, + Predicate allowedKeys) { + if (!allowedKeys.test(name)) return false; + if (disabledSchemes.isEmpty()) return true; + if (name.equalsIgnoreCase("proxy-authorization")) { + if (value.isEmpty()) return false; + for (String scheme : disabledSchemes) { + int slen = scheme.length(); + for (String v : value) { + int vlen = v.length(); + if (vlen == slen) { + if (v.equalsIgnoreCase(scheme)) { + return false; + } + } else if (vlen > slen) { + if (v.substring(0,slen).equalsIgnoreCase(scheme)) { + int c = v.codePointAt(slen); + if (WSPACES.indexOf(c) > -1 + || Character.isSpaceChar(c) + || Character.isWhitespace(c)) { + return false; + } + } + } + } + } + } + return true; + } + + public static final BiPredicate> PROXY_TUNNEL_FILTER = + (s,v) -> isAllowedForProxy(s, v, PROXY_AUTH_TUNNEL_DISABLED_SCHEMES, + IS_PROXY_HEADER); + public static final BiPredicate> PROXY_FILTER = + (s,v) -> isAllowedForProxy(s, v, PROXY_AUTH_DISABLED_SCHEMES, + ALL_HEADERS); + public static final BiPredicate> NO_PROXY_HEADERS_FILTER = + (n,v) -> Utils.NO_PROXY_HEADER.test(n); + + + public static boolean proxyHasDisabledSchemes(boolean tunnel) { + return tunnel ? ! PROXY_AUTH_TUNNEL_DISABLED_SCHEMES.isEmpty() + : ! PROXY_AUTH_DISABLED_SCHEMES.isEmpty(); + } public static ByteBuffer getBuffer() { return ByteBuffer.allocate(BUFSIZE); diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/DigestEchoClient.java --- a/test/jdk/java/net/httpclient/DigestEchoClient.java Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/DigestEchoClient.java Wed Jan 31 16:18:41 2018 +0000 @@ -50,6 +50,7 @@ import jdk.incubator.http.HttpRequest; import jdk.incubator.http.HttpResponse; import jdk.testlibrary.SimpleSSLContext; +import sun.net.NetProperties; import sun.net.www.HeaderParser; import static java.lang.System.out; import static java.lang.String.format; @@ -64,7 +65,11 @@ * @build jdk.testlibrary.SimpleSSLContext DigestEchoServer DigestEchoClient * @modules jdk.incubator.httpclient * java.base/sun.net.www + * java.base/sun.net * @run main/othervm DigestEchoClient + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes= + * -Djdk.http.auth.tunneling.disabledSchemes= + * DigestEchoClient */ public class DigestEchoClient { @@ -137,6 +142,14 @@ private static final ConcurrentMap servers = new ConcurrentHashMap<>(); } + final static String PROXY_DISABLED = NetProperties.get("jdk.http.auth.proxying.disabledSchemes"); + final static String TUNNEL_DISABLED = NetProperties.get("jdk.http.auth.tunneling.disabledSchemes"); + static { + System.out.println("jdk.http.auth.proxying.disabledSchemes=" + PROXY_DISABLED); + System.out.println("jdk.http.auth.tunneling.disabledSchemes=" + TUNNEL_DISABLED); + } + + static final AtomicInteger NC = new AtomicInteger(); static final Random random = new Random(); @@ -266,6 +279,40 @@ } } + boolean isSchemeDisabled() { + String disabledSchemes; + if (isProxy(authType)) { + disabledSchemes = useSSL + ? TUNNEL_DISABLED + : PROXY_DISABLED; + } else return false; + if (disabledSchemes == null + || disabledSchemes.isEmpty()) { + return false; + } + String scheme; + switch (authScheme) { + case DIGEST: + scheme = "Digest"; + break; + case BASIC: + scheme = "Basic"; + break; + case BASICSERVER: + scheme = "Basic"; + break; + case NONE: + return false; + default: + throw new InternalError("Unknown auth scheme: " + authScheme); + } + return Stream.of(disabledSchemes.split(",")) + .map(String::trim) + .filter(scheme::equalsIgnoreCase) + .findAny() + .isPresent(); + } + final static AtomicLong basics = new AtomicLong(); final static AtomicLong basicCount = new AtomicLong(); // @Test @@ -305,7 +352,8 @@ assert !client.authenticator().isPresent(); if (auth == null) auth = "Basic " + getBasicAuth("arthur"); try { - if ((i > 0 || preemptive) && (!isTunnel || i == 0)) { + if ((i > 0 || preemptive) + && (!isTunnel || i == 0 || isSchemeDisabled())) { // In case of a SSL tunnel through proxy then only the // first request should require proxy authorization // Though this might be invalidated if the server decides @@ -346,7 +394,7 @@ throw new RuntimeException("Unexpected exception: " + t, t); } - if (addHeaders && !preemptive && i==0) { + if (addHeaders && !preemptive && (i==0 || isSchemeDisabled())) { assert resp.statusCode() == 401 || resp.statusCode() == 407; request = HttpRequest.newBuilder(uri).version(version) .POST(reqBody).header(authorizationKey(authType), auth).build(); @@ -356,12 +404,31 @@ resp = client.send(request, asLines()); } } - assert resp.statusCode() == 200; - List respLines = resp.body().collect(Collectors.toList()); - long stop = System.nanoTime(); - synchronized (basicCount) { - long n = basicCount.getAndIncrement(); - basics.set((basics.get() * n + (stop - start)) / (n + 1)); + final List respLines; + try { + if (isSchemeDisabled()) { + if (resp.statusCode() != 407) { + throw new RuntimeException("expected 407 not received"); + } + System.out.println("Scheme disabled for [" + authType + + ", " + authScheme + + ", " + (useSSL ? "HTTP" : "HTTPS") + + "]: Received expected " + resp.statusCode()); + continue; + } else { + System.out.println("Scheme enabled for [" + authType + + ", " + authScheme + + ", " + (useSSL ? "HTTPS" : "HTTP") + + "]: Expecting 200"); + assert resp.statusCode() == 200; + respLines = resp.body().collect(Collectors.toList()); + } + } finally { + long stop = System.nanoTime(); + synchronized (basicCount) { + long n = basicCount.getAndIncrement(); + basics.set((basics.get() * n + (stop - start)) / (n + 1)); + } } if (!lines.equals(respLines)) { throw new RuntimeException("Unexpected response: " + respLines); @@ -418,7 +485,7 @@ // In case of a tunnel connection only the first request // which establishes the tunnel needs to authenticate with // the proxy. - if (challenge != null && !isTunnel) { + if (challenge != null && (!isTunnel || isSchemeDisabled())) { assert cnonceStr != null; String auth = digestResponse(uri, digestMethod, challenge, cnonceStr); try { @@ -442,7 +509,7 @@ // This assert may need to be relaxed if our server happened to // decide to close the tunnel connection, in which case we would // receive 407 again... - assert challenge == null || !isTunnel + assert challenge == null || !isTunnel || isSchemeDisabled() : "No proxy auth should be required after establishing an SSL tunnel"; System.out.println("Received " + resp.statusCode() + " answering challenge..."); @@ -476,12 +543,27 @@ } System.out.println(resp); } - assert resp.statusCode() == 200; - List respLines = resp.body().collect(Collectors.toList()); - long stop = System.nanoTime(); - synchronized (digestCount) { - long n = digestCount.getAndIncrement(); - digests.set((digests.get() * n + (stop - start)) / (n + 1)); + final List respLines; + try { + if (isSchemeDisabled()) { + if (resp.statusCode() != 407) { + throw new RuntimeException("expected 407 not received"); + } + System.out.println("Scheme disabled for [" + authType + + ", " + authScheme + + ", " + (useSSL ? "HTTP" : "HTTPS") + + "]: Received expected " + resp.statusCode()); + continue; + } else { + assert resp.statusCode() == 200; + respLines = resp.body().collect(Collectors.toList()); + } + } finally { + long stop = System.nanoTime(); + synchronized (basicCount) { + long n = basicCount.getAndIncrement(); + basics.set((basics.get() * n + (stop - start)) / (n + 1)); + } } if (!lines.equals(respLines)) { throw new RuntimeException("Unexpected response: " + respLines); diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/DigestEchoClientSSL.java --- a/test/jdk/java/net/httpclient/DigestEchoClientSSL.java Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/DigestEchoClientSSL.java Wed Jan 31 16:18:41 2018 +0000 @@ -24,11 +24,17 @@ /** * @test * @bug 8087112 + * @summary this test verifies that a client may provides authorization + * headers directly when connecting with a server over SSL. * @library /lib/testlibrary * @build jdk.testlibrary.SimpleSSLContext DigestEchoServer DigestEchoClient DigestEchoClientSSL * @modules jdk.incubator.httpclient * java.base/sun.net.www + * java.base/sun.net * @run main/othervm DigestEchoClientSSL SSL + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes= + * -Djdk.http.auth.tunneling.disabledSchemes= + * DigestEchoClientSSL SSL PROXY */ public class DigestEchoClientSSL { diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/DigestEchoServer.java --- a/test/jdk/java/net/httpclient/DigestEchoServer.java Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/DigestEchoServer.java Wed Jan 31 16:18:41 2018 +0000 @@ -1434,10 +1434,25 @@ pw.print(response); pw.flush(); } else { - // This should not happen. If it does let our serverImpl - // deal with it. - throw new IOException("Tunnel: Unexpected status line: " - + requestLine); + // This should not happen. If it does then just print an + // error - both on out and err, and close the accepted + // socket + System.out.println("WARNING: Tunnel: Unexpected status line: " + + requestLine + " received by " + + ss.getLocalSocketAddress() + + " from " + + toClose.getRemoteSocketAddress() + + " - closing accepted socket"); + // Print on err + System.err.println("WARNING: Tunnel: Unexpected status line: " + + requestLine + " received by " + + ss.getLocalSocketAddress() + + " from " + + toClose.getRemoteSocketAddress()); + // close accepted socket. + toClose.close(); + System.err.println("Tunnel: accepted socket closed."); + continue; } // Pipe the input stream of the client connection to the diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/ProxyAuthDisabledSchemes.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemes.java Wed Jan 31 16:18:41 2018 +0000 @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @summary this test verifies that a client may provides authorization + * headers directly when connecting with a server, and + * it verifies that the client honor the jdk.http.auth.*.disabledSchemes + * net properties. + * @bug 8087112 + * @library /lib/testlibrary + * @build jdk.testlibrary.SimpleSSLContext DigestEchoServer DigestEchoClient ProxyAuthDisabledSchemes + * @modules jdk.incubator.httpclient + * java.base/sun.net.www + * java.base/sun.net + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Basic,Digest + * -Djdk.http.auth.tunneling.disabledSchemes=Digest,Basic + * ProxyAuthDisabledSchemes + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Basic + * -Djdk.http.auth.tunneling.disabledSchemes=Basic + * ProxyAuthDisabledSchemes CLEAR PROXY + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Digest + * -Djdk.http.auth.tunneling.disabledSchemes=Digest + * ProxyAuthDisabledSchemes CLEAR PROXY + */ + +public class ProxyAuthDisabledSchemes { + public static void main(String[] args) throws Exception { + DigestEchoClient.main(args); + } +} diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/java/net/httpclient/ProxyAuthDisabledSchemesSSL.java Wed Jan 31 16:18:41 2018 +0000 @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8087112 + * @summary this test verifies that a client may provides authorization + * headers directly when connecting with a server over SSL, and + * it verifies that the client honor the jdk.http.auth.*.disabledSchemes + * net properties. + * @library /lib/testlibrary + * @build jdk.testlibrary.SimpleSSLContext DigestEchoServer DigestEchoClient ProxyAuthDisabledSchemesSSL + * @modules jdk.incubator.httpclient + * java.base/sun.net.www + * java.base/sun.net + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Basic,Digest + * -Djdk.http.auth.tunneling.disabledSchemes=Digest,Basic + * ProxyAuthDisabledSchemesSSL SSL + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Basic + * -Djdk.http.auth.tunneling.disabledSchemes=Basic + * ProxyAuthDisabledSchemesSSL SSL PROXY + * @run main/othervm -Djdk.http.auth.proxying.disabledSchemes=Digest + * -Djdk.http.auth.tunneling.disabledSchemes=Digest + * ProxyAuthDisabledSchemesSSL SSL PROXY + */ + +public class ProxyAuthDisabledSchemesSSL { + public static void main(String[] args) throws Exception { + assert "SSL".equals(args[0]); + DigestEchoClient.main(args); + } +} diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/TimeoutBasic.java --- a/test/jdk/java/net/httpclient/TimeoutBasic.java Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/TimeoutBasic.java Wed Jan 31 16:18:41 2018 +0000 @@ -153,6 +153,11 @@ count++; try { HttpResponse resp = client.sendAsync(request, discard(null)).join(); + out.println("Unexpected response for: " + request); + out.println("\t from " + ss.getLocalSocketAddress()); + out.println("Response is: " + resp); + out.println("Headers: " + resp.headers().map()); + out.println("Body (should be null): " + resp.body()); throw new RuntimeException("Unexpected response: " + resp.statusCode()); } catch (CompletionException e) { if (!(e.getCause() instanceof HttpTimeoutException)) { diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/0.policy --- a/test/jdk/java/net/httpclient/security/0.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/0.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/1.policy --- a/test/jdk/java/net/httpclient/security/1.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/1.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/10.policy --- a/test/jdk/java/net/httpclient/security/10.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/10.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -60,6 +60,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/11.policy --- a/test/jdk/java/net/httpclient/security/11.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/11.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -62,6 +62,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/12.policy --- a/test/jdk/java/net/httpclient/security/12.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/12.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -62,6 +62,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/14.policy --- a/test/jdk/java/net/httpclient/security/14.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/14.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/15.policy --- a/test/jdk/java/net/httpclient/security/15.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/15.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -64,6 +64,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/2.policy --- a/test/jdk/java/net/httpclient/security/2.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/2.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/3.policy --- a/test/jdk/java/net/httpclient/security/3.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/3.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/4.policy --- a/test/jdk/java/net/httpclient/security/4.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/4.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -62,6 +62,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/5.policy --- a/test/jdk/java/net/httpclient/security/5.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/5.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/6.policy --- a/test/jdk/java/net/httpclient/security/6.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/6.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/7.policy --- a/test/jdk/java/net/httpclient/security/7.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/7.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/8.policy --- a/test/jdk/java/net/httpclient/security/8.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/8.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/9.policy --- a/test/jdk/java/net/httpclient/security/9.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/9.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -61,6 +61,7 @@ permission java.io.FilePermission "<>","read,write"; // delete??? permission java.util.PropertyPermission "jdk.httpclient.*","read"; + permission java.util.PropertyPermission "jdk.http.auth.*","read"; permission java.net.NetPermission "getProxySelector"; }; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/security/filePerms/httpclient.policy --- a/test/jdk/java/net/httpclient/security/filePerms/httpclient.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/security/filePerms/httpclient.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -39,6 +39,8 @@ permission java.io.FilePermission "<>","read,write,delete"; // ## look at the different property names! + permission java.util.PropertyPermission "jdk.http.auth.proxying.disabledSchemes","read"; + permission java.util.PropertyPermission "jdk.http.auth.tunneling.disabledSchemes","read"; permission java.util.PropertyPermission "jdk.httpclient.HttpClient.log","read"; // name! permission java.util.PropertyPermission "jdk.httpclient.auth.retrylimit","read"; permission java.util.PropertyPermission "jdk.httpclient.connectionWindowSize","read"; diff -r 8588095e95b0 -r 352e845ae744 test/jdk/java/net/httpclient/websocket/security/httpclient.policy --- a/test/jdk/java/net/httpclient/websocket/security/httpclient.policy Wed Jan 31 15:52:35 2018 +0000 +++ b/test/jdk/java/net/httpclient/websocket/security/httpclient.policy Wed Jan 31 16:18:41 2018 +0000 @@ -1,5 +1,5 @@ // -// Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. +// Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved. // DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. // // This code is free software; you can redistribute it and/or modify it @@ -39,6 +39,8 @@ permission java.io.FilePermission "<>","read,write,delete"; // ## look at the different property names! + permission java.util.PropertyPermission "jdk.http.auth.proxying.disabledSchemes","read"; + permission java.util.PropertyPermission "jdk.http.auth.tunneling.disabledSchemes","read"; permission java.util.PropertyPermission "jdk.httpclient.HttpClient.log","read"; // name! permission java.util.PropertyPermission "jdk.httpclient.auth.retrylimit","read"; permission java.util.PropertyPermission "jdk.httpclient.connectionWindowSize","read";