--- a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Fri Aug 29 20:16:35 2014 -0700
+++ b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Wed Sep 10 10:33:43 2014 +0100
@@ -337,6 +337,7 @@
/* try auth without calling Authenticator. Used for transparent NTLM authentication */
private boolean tryTransparentNTLMServer = true;
private boolean tryTransparentNTLMProxy = true;
+ private boolean useProxyResponseCode = false;
/* Used by Windows specific code */
private Object authObj;
@@ -2239,6 +2240,15 @@
if (tryTransparentNTLMProxy) {
tryTransparentNTLMProxy =
NTLMAuthenticationProxy.supportsTransparentAuth;
+ /* If the platform supports transparent authentication
+ * then normally it's ok to do transparent auth to a proxy
+ * because we generally trust proxies (chosen by the user)
+ * But not in the case of 305 response where the server
+ * chose it. */
+ if (tryTransparentNTLMProxy && useProxyResponseCode) {
+ tryTransparentNTLMProxy = false;
+ }
+
}
a = null;
if (tryTransparentNTLMProxy) {
@@ -2610,6 +2620,10 @@
requests.set(0, method + " " + getRequestURI()+" " +
httpVersion, null);
connected = true;
+ // need to remember this in case NTLM proxy authentication gets
+ // used. We can't use transparent authentication when user
+ // doesn't know about proxy.
+ useProxyResponseCode = true;
} else {
// maintain previous headers, just change the name
// of the file we're getting