From e74c9cc4d5a08bb95229d43fcfb8ad571749ce47 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Tue, 21 Oct 2025 10:37:18 +0200 Subject: [PATCH 1/2] HTTPCLIENT-2403: Mutual authentication check not performed for proxies --- .../hc/client5/http/impl/async/AsyncProtocolExec.java | 11 +++++------ .../client5/http/impl/auth/AuthenticationHandler.java | 3 +-- .../hc/client5/http/impl/classic/ProtocolExec.java | 11 +++++------ 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java index 0d8c504627..1b35f8cb34 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/AsyncProtocolExec.java @@ -334,26 +334,25 @@ private boolean needAuthentication( } } + boolean targetNeedsAuth = false; + boolean proxyNeedsAuth = false; if (targetAuthRequested || targetMutualAuthRequired) { - final boolean updated = authenticator.handleResponse(target, ChallengeType.TARGET, response, + targetNeedsAuth = authenticator.handleResponse(target, ChallengeType.TARGET, response, targetAuthStrategy, targetAuthExchange, context); if (authCacheKeeper != null) { authCacheKeeper.updateOnResponse(target, pathPrefix, targetAuthExchange, context); } - - return updated; } if (proxyAuthRequested || proxyMutualAuthRequired) { - final boolean updated = authenticator.handleResponse(proxy, ChallengeType.PROXY, response, + proxyNeedsAuth = authenticator.handleResponse(proxy, ChallengeType.PROXY, response, proxyAuthStrategy, proxyAuthExchange, context); if (authCacheKeeper != null) { authCacheKeeper.updateOnResponse(proxy, null, proxyAuthExchange, context); } - - return updated; } + return targetNeedsAuth || proxyNeedsAuth; } return false; } diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java index 8d38ec8e75..55f72f659f 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java @@ -121,8 +121,7 @@ public boolean isChallenged( } /** - * Determines whether the given response represents an authentication challenge, without - * changing the {@link AuthExchange} state. + * Determines whether the response is 401/407 response depending to the challengeType * * @param challengeType the challenge type (target or proxy). * @param response the response message head. diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java index fe3d35281f..b927dbc798 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ProtocolExec.java @@ -295,26 +295,25 @@ private boolean needAuthentication( } } + boolean targetNeedsAuth = false; + boolean proxyNeedsAuth = false; if (targetAuthRequested || targetMutualAuthRequired) { - final boolean updated = authenticator.handleResponse(target, ChallengeType.TARGET, response, + targetNeedsAuth = authenticator.handleResponse(target, ChallengeType.TARGET, response, targetAuthStrategy, targetAuthExchange, context); if (authCacheKeeper != null) { authCacheKeeper.updateOnResponse(target, pathPrefix, targetAuthExchange, context); } - - return updated; } if (proxyAuthRequested || proxyMutualAuthRequired) { - final boolean updated = authenticator.handleResponse(proxy, ChallengeType.PROXY, response, + proxyNeedsAuth = authenticator.handleResponse(proxy, ChallengeType.PROXY, response, proxyAuthStrategy, proxyAuthExchange, context); if (authCacheKeeper != null) { authCacheKeeper.updateOnResponse(proxy, null, proxyAuthExchange, context); } - - return updated; } + return targetNeedsAuth || proxyNeedsAuth; } return false; } From 337666c82f2eab720326af7b2ce67f6275d1c2a9 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Tue, 21 Oct 2025 14:42:32 +0200 Subject: [PATCH 2/2] improve comment --- .../hc/client5/http/impl/auth/AuthenticationHandler.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java index 55f72f659f..fc7e4a22dd 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/AuthenticationHandler.java @@ -121,7 +121,8 @@ public boolean isChallenged( } /** - * Determines whether the response is 401/407 response depending to the challengeType + * Determines whether the given response represents an authentication challenge + * of challangeType, without changing the {@link AuthExchange} state. * * @param challengeType the challenge type (target or proxy). * @param response the response message head.