HTTPCLIENT-2403: Mutual authentication check not performed for proxies (#745)

stoty · ok2c · commit eb2a831ceb98 · 2025-10-21T18:35:06.000+02:00
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java
@@ -334,26 +334,25 @@ private boolean needAuthentication(
                 }
             }
 
+            boolean targetNeedsAuth = false;
+            boolean proxyNeedsAuth = false;
             if (targetAuthRequested || targetMutualAuthRequired) {
-                final boolean updated = authenticator.handleResponse(target, ChallengeType.TARGET, response,
+                targetNeedsAuth = authenticator.handleResponse(target, ChallengeType.TARGET, response,
                         targetAuthStrategy, targetAuthExchange, context);
 
                 if (authCacheKeeper != null) {
                     authCacheKeeper.updateOnResponse(target, pathPrefix, targetAuthExchange, context);
                 }
-
-                return updated;
             }
             if (proxyAuthRequested || proxyMutualAuthRequired) {
-                final boolean updated = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,
+                proxyNeedsAuth = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,
                         proxyAuthStrategy, proxyAuthExchange, context);
 
                 if (authCacheKeeper != null) {
                     authCacheKeeper.updateOnResponse(proxy, null, proxyAuthExchange, context);
                 }
-
-                return updated;
             }
+            return targetNeedsAuth || proxyNeedsAuth;
         }
         return false;
     }
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java
@@ -121,8 +121,8 @@ public boolean isChallenged(
     }
 
     /**
-     * Determines whether the given response represents an authentication challenge, without
-     * changing the {@link AuthExchange} state.
+     * Determines whether the given response represents an authentication challenge
+     * of challangeType, without changing the {@link AuthExchange} state.
      *
      * @param challengeType the challenge type (target or proxy).
      * @param response the response message head.
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java
@@ -295,26 +295,25 @@ private boolean needAuthentication(
                 }
             }
 
+            boolean targetNeedsAuth = false;
+            boolean proxyNeedsAuth = false;
             if (targetAuthRequested || targetMutualAuthRequired) {
-                final boolean updated = authenticator.handleResponse(target, ChallengeType.TARGET, response,
+                targetNeedsAuth = authenticator.handleResponse(target, ChallengeType.TARGET, response,
                         targetAuthStrategy, targetAuthExchange, context);
 
                 if (authCacheKeeper != null) {
                     authCacheKeeper.updateOnResponse(target, pathPrefix, targetAuthExchange, context);
                 }
-
-                return updated;
             }
             if (proxyAuthRequested || proxyMutualAuthRequired) {
-                final boolean updated = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,
+                proxyNeedsAuth = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,
                         proxyAuthStrategy, proxyAuthExchange, context);
 
                 if (authCacheKeeper != null) {
                     authCacheKeeper.updateOnResponse(proxy, null, proxyAuthExchange, context);
                 }
-
-                return updated;
             }
+            return targetNeedsAuth || proxyNeedsAuth;
         }
         return false;
     }

Original file line number	Diff line number	Diff line change
`@@ -334,26 +334,25 @@ private boolean needAuthentication(`
`334`	`334`	`}`
`335`	`335`	`}`
`336`	`336`
	`337`	`+ boolean targetNeedsAuth = false;`
	`338`	`+ boolean proxyNeedsAuth = false;`
`337`	`339`	`if (targetAuthRequested \|\| targetMutualAuthRequired) {`
`338`		`- final boolean updated = authenticator.handleResponse(target, ChallengeType.TARGET, response,`
	`340`	`+ targetNeedsAuth = authenticator.handleResponse(target, ChallengeType.TARGET, response,`
`339`	`341`	`targetAuthStrategy, targetAuthExchange, context);`
`340`	`342`
`341`	`343`	`if (authCacheKeeper != null) {`
`342`	`344`	`authCacheKeeper.updateOnResponse(target, pathPrefix, targetAuthExchange, context);`
`343`	`345`	`}`
`344`		`-`
`345`		`- return updated;`
`346`	`346`	`}`
`347`	`347`	`if (proxyAuthRequested \|\| proxyMutualAuthRequired) {`
`348`		`- final boolean updated = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,`
	`348`	`+ proxyNeedsAuth = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,`
`349`	`349`	`proxyAuthStrategy, proxyAuthExchange, context);`
`350`	`350`
`351`	`351`	`if (authCacheKeeper != null) {`
`352`	`352`	`authCacheKeeper.updateOnResponse(proxy, null, proxyAuthExchange, context);`
`353`	`353`	`}`
`354`		`-`
`355`		`- return updated;`
`356`	`354`	`}`
	`355`	`+ return targetNeedsAuth \|\| proxyNeedsAuth;`
`357`	`356`	`}`
`358`	`357`	`return false;`
`359`	`358`	`}`
Original file line number	Diff line number	Diff line change
`@@ -121,8 +121,8 @@ public boolean isChallenged(`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`/**`
`124`		`- * Determines whether the given response represents an authentication challenge, without`
`125`		`- * changing the {@link AuthExchange} state.`
	`124`	`+ * Determines whether the given response represents an authentication challenge`
	`125`	`+ * of challangeType, without changing the {@link AuthExchange} state.`
`126`	`126`	`*`
`127`	`127`	`* @param challengeType the challenge type (target or proxy).`
`128`	`128`	`* @param response the response message head.`
Original file line number	Diff line number	Diff line change
`@@ -295,26 +295,25 @@ private boolean needAuthentication(`
`295`	`295`	`}`
`296`	`296`	`}`
`297`	`297`
	`298`	`+ boolean targetNeedsAuth = false;`
	`299`	`+ boolean proxyNeedsAuth = false;`
`298`	`300`	`if (targetAuthRequested \|\| targetMutualAuthRequired) {`
`299`		`- final boolean updated = authenticator.handleResponse(target, ChallengeType.TARGET, response,`
	`301`	`+ targetNeedsAuth = authenticator.handleResponse(target, ChallengeType.TARGET, response,`
`300`	`302`	`targetAuthStrategy, targetAuthExchange, context);`
`301`	`303`
`302`	`304`	`if (authCacheKeeper != null) {`
`303`	`305`	`authCacheKeeper.updateOnResponse(target, pathPrefix, targetAuthExchange, context);`
`304`	`306`	`}`
`305`		`-`
`306`		`- return updated;`
`307`	`307`	`}`
`308`	`308`	`if (proxyAuthRequested \|\| proxyMutualAuthRequired) {`
`309`		`- final boolean updated = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,`
	`309`	`+ proxyNeedsAuth = authenticator.handleResponse(proxy, ChallengeType.PROXY, response,`
`310`	`310`	`proxyAuthStrategy, proxyAuthExchange, context);`
`311`	`311`
`312`	`312`	`if (authCacheKeeper != null) {`
`313`	`313`	`authCacheKeeper.updateOnResponse(proxy, null, proxyAuthExchange, context);`
`314`	`314`	`}`
`315`		`-`
`316`		`- return updated;`
`317`	`315`	`}`
	`316`	`+ return targetNeedsAuth \|\| proxyNeedsAuth;`
`318`	`317`	`}`
`319`	`318`	`return false;`
`320`	`319`	`}`