Name: bsC130419 Date: 06/26/2001


java version "1.3.0_02"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0_02)
Java HotSpot(TM) Client VM (build 1.3.0_02, mixed mode)

The new handling of HTTP 401 errors in JDK 1.3 is incomplete. The changes that
are a result of the fix to bug #4244472 cause multiple requests for the same
information when a longer URI "abs-path" is used before a shorter one.

In previous versions the URL's path information was not used to determine which
authorization information to send with the request and was undoubtedly causing
excess retries when a server had multiple realms. The addition of using the
path to qualify a request and to guess at which realm information should be sent
with the request is a good addition to the behavior.

However, the behavior in response to the 401 error is not complete. When a
shorter path is used the authorization information can not be determined and is
not sent with the request the first time. That is expected. When a 401 error
results and the realm name is now known the path information should be ignored
and the authentication information that was cached for that realm name should be
used to retry the request. If it succeeds the path for that realm should be
replaced with the shorter path.

In summary, when the 401 which now includes the realm name is received, if there
is aleady information cached for that realm name it should be used without
invoking the registered
java.net.Authenticator.requestPasswordAuthentication(...) method.
(Review ID: 125644)
======================================================================