GH-5723: address further feedback

JDKHttpClientResponse

getReasonPhrase() now returns the standard IANA phrase for all common
codes (covering everything likely to appear in SPARQL/RDF4J error
paths), and falls back to "HTTP <statusCode>" for anything non-standard
— always meaningful rather than empty.

SPARQLProtocolSessionTest: added sessionManager field;
createProtocolSession() now assigns this.sessionManager; tearDown()
calls sessionManager.shutDown() after closing the session.
  - RDF4JProtocolSessionTest: override does the same — assigns
sessionManager (inherited field) rather than discarding the manager
reference — so the base tearDown() picks it up and shuts it down.

  The executor and the HTTP client are now properly released after every
test method.

UriBuilder

 The logic:
  - indexOf('#') finds the fragment separator (first occurrence, per RFC
3986)
  - beforeFragment holds the scheme/authority/path/query portion — ? vs
& detection runs against this
  - Query parameters are appended to beforeFragment
  - fragment (the #... part, or empty string) is re-appended last,
keeping the URI well-formed

JdkRDF4JHttpClient

Repeatable bodies (isRepeatable() == true — ofBytes, ofString,
ofFormData): reads into byte[] inside a try-with-resources, ensuring the
InputStream is closed. ofByteArray preserves the content-length hint and
redirect-retry safety.
  - Non-repeatable bodies (isRepeatable() == false — ofStream): passes
the stream directly via BodyPublishers.ofInputStream(supplier). The JDK
HttpClient owns and closes the stream after sending, so no buffering and
no leak. The IOException from getContent() is wrapped
  in UncheckedIOException as required by the Supplier interface.

Support for Producer<String> in BearerTokenAuthenticationHandler

Author: aschwarte10

core/http/client-apache5/src/main/java/org/eclipse/rdf4j/http/client/apache5/ApacheHC5HttpClientResponse.java

@@ -25,12 +25,12 @@
  * <p>
  * Closing this response returns the connection to the pool.
  */
-class ApacheHC5HttpClientResponse implements HttpResponse {
+public class ApacheHC5HttpClientResponse implements HttpResponse {
 
 	private final ClassicHttpResponse response;
 	private final List<HttpHeader> headers;
 
-	ApacheHC5HttpClientResponse(ClassicHttpResponse response) {
+	public ApacheHC5HttpClientResponse(ClassicHttpResponse response) {
 		this.response = response;
 		this.headers = Arrays.stream(response.getHeaders())
 				.map(h -> HttpHeader.of(h.getName(), h.getValue()))

core/http/client-apache5/src/main/java/org/eclipse/rdf4j/http/client/apache5/ApacheHC5RDF4JHttpClient.java

@@ -45,7 +45,7 @@ public class ApacheHC5RDF4JHttpClient implements RDF4JHttpClient {
 	 */
 	private final int maxRetries408;
 
-	ApacheHC5RDF4JHttpClient(CloseableHttpClient httpClient, int maxConnectionsPerRoute) {
+	public ApacheHC5RDF4JHttpClient(CloseableHttpClient httpClient, int maxConnectionsPerRoute) {
 		this.httpClient = httpClient;
 		this.maxRetries408 = maxConnectionsPerRoute + 1;
 	}
@@ -123,7 +123,7 @@ public void close() {
 		try {
 			httpClient.close();
 		} catch (IOException e) {
-			// ignore on close
+			logger.trace("Error while closing http client: " + e.getMessage(), e);
 		}
 	}
 }

core/http/client-api/src/main/java/org/eclipse/rdf4j/http/client/spi/BearerTokenAuthenticationHandler.java

@@ -16,35 +16,65 @@
  * {@link AuthenticationHandler} that adds an HTTP Bearer token to every request.
  *
  * <p>
- * The {@code Authorization: Bearer <token>} header is set from the token supplied at construction time and appended to
- * every request passed to {@link #authenticate(HttpRequest)}.
+ * The {@code Authorization: Bearer <token>} header is added to every request passed to
+ * {@link #authenticate(HttpRequest)}. The token can be supplied either as a static string or as a
+ * {@link Producer}{@code <String>} that is invoked on each request, allowing dynamic tokens such as short-lived OAuth
+ * access tokens to be refreshed transparently.
  *
  * <p>
- * Example usage:
+ * Example usage with a static token:
  *
  * <pre>
- * SPARQLProtocolSession session = ...;
  * session.setAuthenticationHandler(new BearerTokenAuthenticationHandler("my-token"));
  * </pre>
  *
+ * <p>
+ * Example usage with a dynamic token producer:
+ *
+ * <pre>
+ * session.setAuthenticationHandler(new BearerTokenAuthenticationHandler(tokenStore::currentToken));
+ * </pre>
+ *
  * @see AuthenticationHandler
  */
 public class BearerTokenAuthenticationHandler implements AuthenticationHandler {
 
-	private final String authorizationHeaderValue;
+	private final Producer<String> tokenProducer;
 
 	/**
-	 * Creates a new {@link BearerTokenAuthenticationHandler} for the given token.
+	 * Creates a new {@link BearerTokenAuthenticationHandler} for the given static token.
 	 *
 	 * @param token the bearer token; must not be {@code null}
 	 */
 	public BearerTokenAuthenticationHandler(String token) {
 		Objects.requireNonNull(token, "token must not be null");
-		this.authorizationHeaderValue = "Bearer " + token;
+		this.tokenProducer = () -> token;
+	}
+
+	/**
+	 * Creates a new {@link BearerTokenAuthenticationHandler} that obtains the bearer token by invoking the given
+	 * {@link Producer} on each request.
+	 *
+	 * <p>
+	 * Use this constructor when the token may change over time (e.g. a short-lived OAuth access token that is refreshed
+	 * by the producer). The producer is called once per request; any checked exception it throws is wrapped in an
+	 * {@link IllegalStateException}.
+	 *
+	 * @param tokenProducer a producer that returns the current bearer token; must not be {@code null}
+	 */
+	public BearerTokenAuthenticationHandler(Producer<String> tokenProducer) {
+		Objects.requireNonNull(tokenProducer, "tokenProducer must not be null");
+		this.tokenProducer = tokenProducer;
 	}
 
 	@Override
 	public void authenticate(HttpRequest request) {
-		request.addHeader("Authorization", authorizationHeaderValue);
+		try {
+			request.addHeader("Authorization", "Bearer " + tokenProducer.produce());
+		} catch (RuntimeException e) {
+			throw e;
+		} catch (Exception e) {
+			throw new IllegalStateException("Failed to produce bearer token", e);
+		}
 	}
 }

core/http/client-api/src/main/java/org/eclipse/rdf4j/http/client/spi/HttpRequest.java

@@ -40,7 +40,7 @@
  * @see RDF4JHttpClient
  * @see HttpRequestBody
  */
-public final class HttpRequest {
+public class HttpRequest {
 
 	private final String method;
 	private final URI uri;

core/http/client-api/src/main/java/org/eclipse/rdf4j/http/client/spi/Producer.java

@@ -0,0 +1,33 @@
+/*******************************************************************************
+ * Copyright (c) 2026 Eclipse RDF4J contributors.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Distribution License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *******************************************************************************/
+package org.eclipse.rdf4j.http.client.spi;
+
+/**
+ * A supplier of values that may throw a checked exception.
+ *
+ * <p>
+ * Unlike {@link java.util.function.Supplier}, this interface allows implementations to throw checked exceptions, making
+ * it suitable for token sources that perform I/O, call external services, or otherwise fail in checked ways (e.g.
+ * fetching an OAuth access token or reading a secret from a vault).
+ *
+ * @param <T> the type of value produced
+ */
+@FunctionalInterface
+public interface Producer<T> {
+
+	/**
+	 * Produces a value.
+	 *
+	 * @return the produced value
+	 * @throws Exception if production fails
+	 */
+	T produce() throws Exception;
+}

core/http/client-api/src/main/java/org/eclipse/rdf4j/http/client/spi/RDF4JHttpClientConfig.java

@@ -36,7 +36,7 @@
  * @see RDF4JHttpClient
  * @see RDF4JHttpClientFactory
  */
-public final class RDF4JHttpClientConfig {
+public class RDF4JHttpClientConfig {
 
 	private final int connectTimeoutMs;
 	private final int socketTimeoutMs;
@@ -50,7 +50,7 @@ public final class RDF4JHttpClientConfig {
 	private final boolean disableHostnameVerification;
 	private final List<HttpHeader> defaultHeaders;
 
-	private RDF4JHttpClientConfig(Builder builder) {
+	protected RDF4JHttpClientConfig(Builder builder) {
 		this.connectTimeoutMs = builder.connectTimeoutMs;
 		this.socketTimeoutMs = builder.socketTimeoutMs;
 		this.connectionRequestTimeoutMs = builder.connectionRequestTimeoutMs;
@@ -208,7 +208,7 @@ public static Builder newBuilder() {
 	 * <li>{@code disableHostnameVerification} = {@code false}</li>
 	 * </ul>
 	 */
-	public static final class Builder {
+	public static class Builder {
 		private int connectTimeoutMs = 30_000;
 		private int socketTimeoutMs = 0;
 		private int connectionRequestTimeoutMs = 3_600_000;
@@ -221,7 +221,7 @@ public static final class Builder {
 		private boolean disableHostnameVerification = false;
 		private List<HttpHeader> defaultHeaders = List.of();
 
-		private Builder() {
+		protected Builder() {
 		}
 
 		/**

core/http/client-api/src/main/java/org/eclipse/rdf4j/http/client/spi/UriBuilder.java

@@ -71,8 +71,13 @@ public URI build() {
 		if (params.isEmpty()) {
 			return URI.create(baseUrl);
 		}
-		StringBuilder sb = new StringBuilder(baseUrl);
-		boolean first = !baseUrl.contains("?");
+		// Split off any fragment so query parameters are inserted before it
+		int fragmentIdx = baseUrl.indexOf('#');
+		String beforeFragment = fragmentIdx >= 0 ? baseUrl.substring(0, fragmentIdx) : baseUrl;
+		String fragment = fragmentIdx >= 0 ? baseUrl.substring(fragmentIdx) : "";
+
+		StringBuilder sb = new StringBuilder(beforeFragment);
+		boolean first = !beforeFragment.contains("?");
 		for (NameValuePair nvp : params) {
 			if (nvp.getValue() == null) {
 				continue;
@@ -83,6 +88,7 @@ public URI build() {
 			sb.append('=');
 			sb.append(URLEncoder.encode(nvp.getValue(), StandardCharsets.UTF_8));
 		}
+		sb.append(fragment);
 		return URI.create(sb.toString());
 	}
 

core/http/client-api/src/test/java/org/eclipse/rdf4j/http/client/spi/UriBuilderTest.java

@@ -0,0 +1,59 @@
+/*******************************************************************************
+ * Copyright (c) 2026 Eclipse RDF4J contributors.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Distribution License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/org/documents/edl-v10.php.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *******************************************************************************/
+package org.eclipse.rdf4j.http.client.spi;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.net.URI;
+
+import org.junit.jupiter.api.Test;
+
+public class UriBuilderTest {
+
+	@Test
+	public void testFragmentInBaseUrl_queryInsertedBeforeFragment() {
+		URI uri = UriBuilder.from("http://example.com/path#section1")
+				.addParameter("foo", "bar")
+				.build();
+
+		assertThat(uri.toString()).isEqualTo("http://example.com/path?foo=bar#section1");
+		assertThat(uri.getFragment()).isEqualTo("section1");
+		assertThat(uri.getQuery()).isEqualTo("foo=bar");
+	}
+
+	@Test
+	public void testFragmentInBaseUrl_existingQueryAndFragment() {
+		URI uri = UriBuilder.from("http://example.com/path?existing=1#section1")
+				.addParameter("foo", "bar")
+				.build();
+
+		assertThat(uri.toString()).isEqualTo("http://example.com/path?existing=1&foo=bar#section1");
+		assertThat(uri.getFragment()).isEqualTo("section1");
+		assertThat(uri.getQuery()).isEqualTo("existing=1&foo=bar");
+	}
+
+	@Test
+	public void testNoFragment_queryAppendedNormally() {
+		URI uri = UriBuilder.from("http://example.com/path")
+				.addParameter("foo", "bar")
+				.build();
+
+		assertThat(uri.toString()).isEqualTo("http://example.com/path?foo=bar");
+		assertThat(uri.getFragment()).isNull();
+	}
+
+	@Test
+	public void testFragmentInBaseUrl_noParams_returnsBaseUrlUnchanged() {
+		URI uri = UriBuilder.from("http://example.com/path#section1").build();
+
+		assertThat(uri.toString()).isEqualTo("http://example.com/path#section1");
+	}
+}

core/http/client-jdk/src/main/java/org/eclipse/rdf4j/http/client/jdk/JdkHttpClientResponse.java

@@ -15,19 +15,55 @@
 import java.io.OutputStream;
 import java.net.http.HttpResponse;
 import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
 import org.eclipse.rdf4j.http.client.spi.HttpHeader;
 
 /**
  * {@link HttpResponse} backed by a JDK {@link HttpResponse}.
  */
-class JdkHttpClientResponse implements org.eclipse.rdf4j.http.client.spi.HttpResponse {
+public class JdkHttpClientResponse implements org.eclipse.rdf4j.http.client.spi.HttpResponse {
+
+	// The JDK HttpClient does not expose reason phrases (HTTP/2 removed them).
+	// This table covers the standard codes most relevant for error reporting.
+	private static final Map<Integer, String> REASON_PHRASES = Map.ofEntries(
+			Map.entry(100, "Continue"),
+			Map.entry(101, "Switching Protocols"),
+			Map.entry(200, "OK"),
+			Map.entry(201, "Created"),
+			Map.entry(204, "No Content"),
+			Map.entry(206, "Partial Content"),
+			Map.entry(301, "Moved Permanently"),
+			Map.entry(302, "Found"),
+			Map.entry(303, "See Other"),
+			Map.entry(304, "Not Modified"),
+			Map.entry(307, "Temporary Redirect"),
+			Map.entry(308, "Permanent Redirect"),
+			Map.entry(400, "Bad Request"),
+			Map.entry(401, "Unauthorized"),
+			Map.entry(403, "Forbidden"),
+			Map.entry(404, "Not Found"),
+			Map.entry(405, "Method Not Allowed"),
+			Map.entry(406, "Not Acceptable"),
+			Map.entry(408, "Request Timeout"),
+			Map.entry(409, "Conflict"),
+			Map.entry(410, "Gone"),
+			Map.entry(413, "Content Too Large"),
+			Map.entry(414, "URI Too Long"),
+			Map.entry(415, "Unsupported Media Type"),
+			Map.entry(429, "Too Many Requests"),
+			Map.entry(500, "Internal Server Error"),
+			Map.entry(501, "Not Implemented"),
+			Map.entry(502, "Bad Gateway"),
+			Map.entry(503, "Service Unavailable"),
+			Map.entry(504, "Gateway Timeout")
+	);
 
 	private final HttpResponse<InputStream> response;
 	private final List<HttpHeader> headers;
 
-	JdkHttpClientResponse(HttpResponse<InputStream> response) {
+	public JdkHttpClientResponse(HttpResponse<InputStream> response) {
 		this.response = response;
 		this.headers = response.headers()
 				.map()
@@ -44,7 +80,7 @@ public int getStatusCode() {
 
 	@Override
 	public String getReasonPhrase() {
-		return "";
+		return REASON_PHRASES.getOrDefault(response.statusCode(), "HTTP " + response.statusCode());
 	}
 
 	@Override

core/http/client-jdk/src/main/java/org/eclipse/rdf4j/http/client/jdk/JdkRDF4JHttpClient.java

@@ -11,6 +11,8 @@
 package org.eclipse.rdf4j.http.client.jdk;
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.UncheckedIOException;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpRequest.BodyPublisher;
@@ -32,7 +34,7 @@ public class JdkRDF4JHttpClient implements RDF4JHttpClient {
 	private final HttpClient httpClient;
 	private final RDF4JHttpClientConfig config;
 
-	JdkRDF4JHttpClient(HttpClient httpClient, RDF4JHttpClientConfig config) {
+	public JdkRDF4JHttpClient(HttpClient httpClient, RDF4JHttpClientConfig config) {
 		this.httpClient = httpClient;
 		this.config = config;
 	}
@@ -60,10 +62,23 @@ public org.eclipse.rdf4j.http.client.spi.HttpResponse execute(org.eclipse.rdf4j.
 			BodyPublisher bodyPublisher;
 			if (request.getBody().isPresent()) {
 				HttpRequestBody body = request.getBody().get();
-				// Read to byte[] for re-readability on redirect
-				byte[] bytes = body.getContent().readAllBytes();
 				builder.header("Content-Type", body.getContentType());
-				bodyPublisher = BodyPublishers.ofByteArray(bytes);
+				if (body.isRepeatable()) {
+					// Buffered body: read into byte[] (safe for redirect retries) and close the stream
+					try (InputStream in = body.getContent()) {
+						bodyPublisher = BodyPublishers.ofByteArray(in.readAllBytes());
+					}
+				} else {
+					// Streaming body: pass directly to avoid buffering large payloads into memory;
+					// the JDK HttpClient closes the stream after the request is sent
+					bodyPublisher = BodyPublishers.ofInputStream(() -> {
+						try {
+							return body.getContent();
+						} catch (IOException e) {
+							throw new UncheckedIOException(e);
+						}
+					});
+				}
 			} else {
 				bodyPublisher = BodyPublishers.noBody();
 			}