Support preemptive authentication with Java HTTP Client

This closes #1622

Author: kwin

maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk-11/src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java

@@ -52,6 +52,7 @@
 import java.time.ZonedDateTime;
 import java.time.format.DateTimeFormatter;
 import java.time.format.DateTimeParseException;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Locale;
@@ -79,6 +80,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static java.nio.charset.StandardCharsets.ISO_8859_1;
 import static org.eclipse.aether.spi.connector.transport.http.HttpConstants.ACCEPT_ENCODING;
 import static org.eclipse.aether.spi.connector.transport.http.HttpConstants.CACHE_CONTROL;
 import static org.eclipse.aether.spi.connector.transport.http.HttpConstants.CONTENT_LENGTH;
@@ -135,6 +137,12 @@ final class JdkTransporter extends AbstractTransporter implements HttpTransporte
 
     private final Semaphore maxConcurrentRequests;
 
+    private boolean preemptivePutAuth;
+
+    private boolean preemptiveAuth;
+
+    private PasswordAuthentication serverAuthentication;
+
     JdkTransporter(
             RepositorySystemSession session,
             RemoteRepository repository,
@@ -227,6 +235,17 @@ final class JdkTransporter extends AbstractTransporter implements HttpTransporte
                 CONFIG_PROP_MAX_CONCURRENT_REQUESTS + "." + repository.getId(),
                 CONFIG_PROP_MAX_CONCURRENT_REQUESTS));
 
+        this.preemptiveAuth = ConfigUtils.getBoolean(
+                session,
+                ConfigurationProperties.DEFAULT_HTTP_PREEMPTIVE_AUTH,
+                ConfigurationProperties.HTTP_PREEMPTIVE_AUTH + "." + repository.getId(),
+                ConfigurationProperties.HTTP_PREEMPTIVE_AUTH);
+        this.preemptivePutAuth = ConfigUtils.getBoolean(
+                session,
+                ConfigurationProperties.DEFAULT_HTTP_PREEMPTIVE_PUT_AUTH,
+                ConfigurationProperties.HTTP_PREEMPTIVE_PUT_AUTH + "." + repository.getId(),
+                ConfigurationProperties.HTTP_PREEMPTIVE_PUT_AUTH);
+
         this.headers = headers;
         this.client = createClient(session, repository, insecure);
     }
@@ -255,6 +274,8 @@ protected void implPeek(PeekTask task) throws Exception {
         HttpRequest.Builder request =
                 HttpRequest.newBuilder().uri(resolve(task)).method("HEAD", HttpRequest.BodyPublishers.noBody());
         headers.forEach(request::setHeader);
+
+        prepare(request);
         try {
             HttpResponse<Void> response = send(request.build(), HttpResponse.BodyHandlers.discarding());
             if (response.statusCode() >= MULTIPLE_CHOICES) {
@@ -286,6 +307,7 @@ protected void implGet(GetTask task) throws Exception {
                     request.header(ACCEPT_ENCODING, "identity");
                 }
 
+                prepare(request);
                 try {
                     response = send(request.build(), HttpResponse.BodyHandlers.ofInputStream());
                     if (response.statusCode() >= MULTIPLE_CHOICES) {
@@ -397,7 +419,7 @@ protected void implPut(PutTask task) throws Exception {
         try (PathProcessor.TempFile tempFile = pathProcessor.newTempFile()) {
             utilPut(task, Files.newOutputStream(tempFile.getPath()), true);
             request.PUT(HttpRequest.BodyPublishers.ofFile(tempFile.getPath()));
-
+            prepare(request);
             try {
                 HttpResponse<Void> response = send(request.build(), HttpResponse.BodyHandlers.discarding());
                 if (response.statusCode() >= MULTIPLE_CHOICES) {
@@ -409,6 +431,24 @@ protected void implPut(PutTask task) throws Exception {
         }
     }
 
+    private void prepare(HttpRequest.Builder requestBuilder) {
+        if (serverAuthentication != null
+                && (preemptiveAuth
+                        || (preemptivePutAuth && requestBuilder.build().method().equals("PUT")))) {
+            // https://stackoverflow.com/a/58612586
+            requestBuilder.setHeader(
+                    "Authorization",
+                    getBasicAuthValue(serverAuthentication.getUserName(), serverAuthentication.getPassword()));
+        }
+    }
+
+    static String getBasicAuthValue(String username, char[] password) {
+        StringBuilder sb = new StringBuilder(128);
+        sb.append(username).append(':').append(password);
+        // Java's HTTP client uses ISO-8859-1 for Basic auth encoding
+        return "Basic " + Base64.getEncoder().encodeToString(sb.toString().getBytes(ISO_8859_1));
+    }
+
     private <T> HttpResponse<T> send(HttpRequest request, HttpResponse.BodyHandler<T> responseBodyHandler)
             throws Exception {
         maxConcurrentRequests.acquire();
@@ -437,10 +477,8 @@ private HttpClient createClient(RepositorySystemSession session, RemoteRepositor
 
                 String username = repoAuthContext.get(AuthenticationContext.USERNAME);
                 String password = repoAuthContext.get(AuthenticationContext.PASSWORD);
-
-                authentications.put(
-                        Authenticator.RequestorType.SERVER,
-                        new PasswordAuthentication(username, password.toCharArray()));
+                serverAuthentication = new PasswordAuthentication(username, password.toCharArray());
+                authentications.put(Authenticator.RequestorType.SERVER, serverAuthentication);
             }
         }
 
@@ -519,7 +557,6 @@ public X509Certificate[] getAcceptedIssuers() {
                 }
             }
         }
-
         if (!authentications.isEmpty()) {
             builder.authenticator(new Authenticator() {
                 @Override
@@ -528,7 +565,6 @@ protected PasswordAuthentication getPasswordAuthentication() {
                 }
             });
         }
-
         return builder.build();
     }
 

maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk-11/src/test/java/org/eclipse/aether/transport/jdk/JdkTransporterTest.java

@@ -29,7 +29,10 @@
 import org.eclipse.aether.spi.connector.transport.Transporter;
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledOnJre;
+import org.junit.jupiter.api.condition.JRE;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
@@ -50,24 +53,36 @@ protected void testAuthSchemeReuse() {}
     protected void testPut_ProxyUnauthenticated() {}
 
     @Override
-    @Disabled
+    @DisabledOnJre(
+            value = {JRE.JAVA_17, JRE.JAVA_21},
+            disabledReason = "JDK-8326949")
     @Test
-    protected void testAuthSchemePreemptive() {}
+    protected void testAuthSchemePreemptive() throws Exception {
+        super.testAuthSchemePreemptive();
+    }
 
     @Override
-    @Disabled
+    @DisabledOnJre(
+            value = {JRE.JAVA_17, JRE.JAVA_21},
+            disabledReason = "JDK-8326949")
     @Test
-    protected void testPut_AuthCache_Preemptive() {}
+    protected void testPut_AuthCache_Preemptive() throws Exception {
+        super.testPut_AuthCache_Preemptive();
+    }
 
     @Override
     @Disabled
     @Test
     protected void testPut_Unauthenticated() {}
 
     @Override
-    @Disabled
+    @DisabledOnJre(
+            value = {JRE.JAVA_17, JRE.JAVA_21},
+            disabledReason = "JDK-8326949")
     @Test
-    protected void testPut_PreemptiveIsDefault() {}
+    protected void testPut_PreemptiveIsDefault() throws Exception {
+        super.testPut_PreemptiveIsDefault();
+    }
 
     @Override
     @Disabled
@@ -113,4 +128,11 @@ void enhanceConnectExceptionMessages() {
             fail("We expect ConnectException");
         }
     }
+
+    @Test
+    void testGetBasicAuthValue() {
+        assertEquals(
+                "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==",
+                JdkTransporter.getBasicAuthValue("Aladdin", "open sesame".toCharArray()));
+    }
 }