If user code sets the "Authorization" header to preempt an Authentication request by the server, or simply because Sun's JDK does not support that scheme, and the URL being requested redirects, then the "Authorization" header is never sent. This is because sun.net.www.protocol.http.HttpURLConnection now removes this header before redirecting. This was not the case in tiger. Hence it appears as a regression in mustang