Add support for preemptive Basic auth for proxy (#6585)

dagnir · web-flow · commit 991d8235cbd6 · 2025-11-26T01:20:44.000Z
Similar to #6333. Note implementations differ because Apache 5.x actually adds support simply configuring the BasicScheme with preemptive auth that wasn't present in 4.x.
diff --git a/.changes/next-release/bugfix-Apache5HTTPClientPreview-7ba481e.json b/.changes/next-release/bugfix-Apache5HTTPClientPreview-7ba481e.json
@@ -0,0 +1,6 @@
+{
+    "type": "bugfix",
+    "category": "Apache5 HTTP Client (Preview)",
+    "contributor": "",
+    "description": "Fix bug where preemptive Basic authentication was not honored for proxies. Similar to fix for Apache 4.x in [#6333](https://github.com/aws/aws-sdk-java-v2/issues/6333)."
+}
diff --git a/http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/utils/Apache5Utils.java b/http-clients/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/internal/utils/Apache5Utils.java
@@ -123,6 +123,7 @@ private static void addPreemptiveAuthenticationProxy(HttpClientContext clientCon
             AuthCache authCache = new BasicAuthCache();
             // Generate BASIC scheme object and add it to the local auth cache
             BasicScheme basicAuth = new BasicScheme();
+            basicAuth.initPreemptive(credsProvider.getCredentials(newAuthScope(proxyConfiguration), clientContext));
             authCache.put(targetHost, basicAuth);
 
             clientContext.setCredentialsProvider(credsProvider);
diff --git a/http-clients/apache5-client/src/test/java/software/amazon/awssdk/http/apache5/Apache5HttpClientProxyAuthTest.java b/http-clients/apache5-client/src/test/java/software/amazon/awssdk/http/apache5/Apache5HttpClientProxyAuthTest.java
@@ -19,10 +19,12 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.any;
 import static com.github.tomakehurst.wiremock.client.WireMock.anyRequestedFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
+import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.matching;
 import static org.assertj.core.api.Assertions.assertThat;
 
 import com.github.tomakehurst.wiremock.WireMockServer;
+import com.github.tomakehurst.wiremock.client.WireMock;
 import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
 import java.net.URI;
 import java.util.Base64;
@@ -66,6 +68,43 @@ public void teardown() {
         }
     }
 
+    @Test
+    public void proxyAuthentication_whenPreemptiveAuthEnabled_shouldSendProxyAuthorizationHeader() throws Exception {
+        mockProxy.stubFor(any(anyUrl())
+                              .withHeader("Proxy-Authorization", equalTo(BASIC_PROXY_AUTH_HEADER))
+                              .willReturn(aResponse()
+                                              .withStatus(200)
+                                              .withBody("Success")));
+
+        // Create HTTP client with preemptive proxy authentication enabled
+        httpClient = Apache5HttpClient.builder()
+                                      .proxyConfiguration(ProxyConfiguration.builder()
+                                                                            .endpoint(URI.create("http://localhost:" + mockProxy.port()))
+                                                                            .username("testuser")
+                                                                            .password("testpass")
+                                                                            .preemptiveBasicAuthenticationEnabled(true)
+                                                                            .build())
+                                      .build();
+
+        // Create a request
+        SdkHttpRequest request = SdkHttpRequest.builder()
+                                               .method(SdkHttpMethod.GET)
+                                               .uri(URI.create("http://example.com/test"))
+                                               .build();
+
+        HttpExecuteRequest executeRequest = HttpExecuteRequest.builder()
+                                                              .request(request)
+                                                              .build();
+
+        // Execute the request - should succeed with preemptive auth header
+        HttpExecuteResponse response = httpClient.prepareRequest(executeRequest).call();
+        assertThat(response.httpResponse().statusCode()).isEqualTo(200);
+
+        mockProxy.verify(1, anyRequestedFor(anyUrl()));
+        mockProxy.verify(WireMock.getRequestedFor(anyUrl())
+                                 .withHeader("Proxy-Authorization", equalTo(BASIC_PROXY_AUTH_HEADER)));
+    }
+
     @Test
     public void proxyAuthentication_whenPreemptiveAuthDisabled_shouldUseChallengeResponseAuth() throws Exception {
         // First request without auth header should get 407
@@ -83,13 +122,13 @@ public void proxyAuthentication_whenPreemptiveAuthDisabled_shouldUseChallengeRes
 
         // Create HTTP client with preemptive proxy authentication disabled
         httpClient = Apache5HttpClient.builder()
-                                     .proxyConfiguration(ProxyConfiguration.builder()
-                                                                           .endpoint(URI.create("http://localhost:" + mockProxy.port()))
-                                                                           .username("testuser")
-                                                                           .password("testpass")
-                                                                           .preemptiveBasicAuthenticationEnabled(false)
-                                                                           .build())
-                                     .build();
+                                      .proxyConfiguration(ProxyConfiguration.builder()
+                                                                            .endpoint(URI.create("http://localhost:" + mockProxy.port()))
+                                                                            .username("testuser")
+                                                                            .password("testpass")
+                                                                            .preemptiveBasicAuthenticationEnabled(false)
+                                                                            .build())
+                                      .build();
 
         // Create a request
         SdkHttpRequest request = SdkHttpRequest.builder()
