Proxy & Kerberos Authentication
JAATO provides unified proxy support and Kerberos/SPNEGO authentication for enterprise environments where outbound traffic must traverse HTTP proxies. The shared/http/ module abstracts proxy configuration across three HTTP libraries (urllib, requests, httpx) and provides exact host matching via JAATO_NO_PROXY and transparent Kerberos token generation via pyspnego.
Proxy Configuration
| Variable | Standard | Description |
|---|---|---|
HTTPS_PROXY | Yes | Proxy URL for HTTPS requests |
HTTP_PROXY | Yes | Proxy URL for HTTP requests |
NO_PROXY | Yes | Hosts to bypass proxy (suffix matching) |
JAATO_NO_PROXY | JAATO-specific | Hosts to bypass proxy (exact matching) |
JAATO_KERBEROS_PROXY | JAATO-specific | Enable Kerberos/SPNEGO proxy auth |
Exact Host Matching
Standard NO_PROXY uses suffix matching, which can produce unintended bypasses (e.g., .corp.com matches malicious-corp.com). JAATO_NO_PROXY uses exact matching: only explicitly listed hostnames bypass the proxy. Both can be used simultaneously — JAATO_NO_PROXY is checked first.
SPNEGO Authentication Flow
When JAATO_KERBEROS_PROXY=true, the module generates SPNEGO tokens using the system's Kerberos credentials via pyspnego. A PreAuthProxyHandler attaches the token proactively to avoid the 407 round-trip, while a KerberosProxyHandler handles 407 responses reactively if the pre-auth token is stale.
Multi-Library Adapters
The shared/http/ module provides factory functions for consistent proxy behavior across all three HTTP libraries used in the codebase:
| Library | Factory Function | Used By |
|---|---|---|
| urllib | get_url_opener() | OAuth flows, device code polling |
| requests | get_requests_session() | GitHub Copilot client, web fetch |
| httpx | get_httpx_client() / get_httpx_async_client() | Anthropic, Google Antigravity, GitHub OAuth |
Platform Support
| Platform | Kerberos Backend | Credential Source |
|---|---|---|
| Windows | SSPI (native) | Domain login (automatic) |
| macOS | GSS.framework | kinit or Kerberos ticket cache |
| Linux | MIT Kerberos | kinit (must have valid ticket) |