Affects: Spring Framework 6.0.11 (and HEAD)
The current ReactorClientHttpConnector creates itself an HttpClient and configures it to enable compression. It should also enable proxies using system properties by default by adding .proxyWithSystemProperties() to the defaultInitializer here.
Without this there are a number of beans that are difficult or impossible to configure to use the system proxy settings, such as those involved in OAuth2/OIDC client login - obtaining a token, fetching user info, and fetching JWKS data all use a separate WebClient instance created ultimately using the default ReactorClientHttpConnector.
I am not sure why this client connector isn't using the system proxy settings already: the default RestTemplate does, and if a proxy has been configured at the java system level it is likely to be important.
Comment From: snicoll
I am not sure why this client connector isn't using the system proxy settings already: the default RestTemplate does, and if a proxy has been configured at the java system level it is likely to be important.
I am not sure what you mean by that. I am not aware our codebase reacts to a system property to configure a proxy. Can you please clarify what you mean by that? Perhaps the connector that you are using is doing this for you?
Comment From: codebje
I am not sure why this client connector isn't using the system proxy settings already: the default RestTemplate does, and if a proxy has been configured at the java system level it is likely to be important.
I am not sure what you mean by that. I am not aware our codebase reacts to a system property to configure a proxy. Can you please clarify what you mean by that? Perhaps the connector that you are using is doing this for you?
Hi, thanks for responding.
It is the connector being used that's doing so, but it's not the one I'm using - it's the one that various Spring components are using whenever they invoke new RestTemplate() or WebClient.create().
In my specific circumstances I hit the problem during OpenID Connect login processing, which makes three network calls to fetch resources (four, if one includes the start-up fetch of provider info), all of which use a different WebClient, two of which are relatively easy to provide with a customised WebClient and one of which is not. The start-up fetch is always non-reactive and simply uses the proxy properties. The Spring Security team have a long-standing issue about the general problem of configuring WebClients used here and in other auth components (see https://github.com/spring-projects/spring-security/issues/8882).
Because the choice of connector is hard-wired in WebClientBuilder based on classes available in the class path, and the connectors are not configurable at an application-wide level, I raised this issue to see if there's a specific reason to exclude the use of proxy properties, or if it's something that could be changed at this level.
This change doesn't solve all the concerns that Spring Security are looking into - their issue covers timeouts and load balancing, at least - but it does prevent other people from playing whack-a-mole with finding components that make connections using WebClient.create() that fail when proxies must be used.
Comment From: snicoll
it's the one that various Spring components are using whenever they invoke new RestTemplate() or WebClient.create().
Sorry, I don't think that answers my question. Can you provide the reference of what is reacting to a system property with RestTemplate?
Comment From: codebje
The Java URL object that's ultimately used to make the connection with RestTemplate is using the system proxy properties, as described here but not very well at all on the javadoc for URL.
The asynchronous connectors used by DefaultWebClientBuilder (Netty, Netty 5, Jetty, OkHttp, and JDK, chosen in that order) are usually operating at the socket level and bypass the Java HTTP framework - except, of course, for JdkClientHttpConnector, but DefaultWebClientBuilder only uses that as a last resort.
Comment From: snicoll
Sorry but there's still no evidence that our web stack is configuring a proxy from system properties. I think you're misleading when you say that RestTemplate does it by default. It can certainly be a feature of the connector that you use, but not something that Spring does.
As a framework, I think we should keep things this way.