Preserve interceptor-set signer properties across auth scheme and endpoint resolution

[S-Saranya1]

Motivation and Context

Customers can override signing properties (like signing region, signing name, payload signing) through execution interceptors using AwsSignerExecutionAttribute. For example:

executionAttributes.putAttribute(AwsSignerExecutionAttribute.SIGNING_REGION, Region.of("eu-west-1"));

After moving auth scheme resolution and endpoint resolution from interceptors to pipeline stages (#6755, #6820), these interceptor-set values were being lost. This happened because:

1. Interceptors run first and set values on SELECTED_AUTH_SCHEME
2. AuthSchemeResolutionStage then resolves a fresh auth scheme, replacing SELECTED_AUTH_SCHEME -interceptor values are gone
3. EndpointResolutionStage may overwrite it again with endpoint-resolved properties

Previously this worked because interceptors ran AFTER auth scheme resolution (which happened in a beforeExecution interceptor), so interceptor writes were the last mutation.

why simple merge won't work : A simple force-overwrite of all pre-existing properties would break services where endpoint rules legitimately change the signing region (e.g., IAM resolves to us-east-1 regardless of client region). The pre-existing SELECTED_AUTH_SCHEME contains both SDK-default values (set by AwsExecutionContextBuilder) and interceptor-set values, they look identical (both are signer properties on the auth scheme option). Force-overwriting all of them would cause SDK defaults to override endpoint-rules-resolved values. Using putSignerPropertyIfAbsent for all of them would cause interceptor-set values to be ignored (since the resolved scheme already has those properties). We need to distinguish between the two.

Modifications

Core idea: Snapshot SELECTED_AUTH_SCHEME before and after interceptors run. Diff the two to identify which properties the interceptor explicitly changed. Force-overwrite those onto the resolved auth scheme, while letting resolved values win for unchanged (SDK-default) properties.

SdkInternalExecutionAttribute — Added two snapshot attributes:

• AUTH_SCHEME_BEFORE_INTERCEPTORS — state before any interceptor runs
• AUTH_SCHEME_AFTER_INTERCEPTORS — state after interceptors, before resolution

AwsExecutionContextBuilder — Snapshots SELECTED_AUTH_SCHEME before running interceptors.

AuthSchemeResolutionStage — After resolving the auth scheme:

• Saves AUTH_SCHEME_AFTER_INTERCEPTORS (the interceptor-modified state)
• Calls mergePreExistingAuthSchemeProperties() which diffs before vs after snapshots. Properties the interceptor changed get force-overwritten (putSignerProperty). Unchanged properties use putSignerPropertyIfAbsent so resolved values win.

EndpointResolutionStage — After the endpoint callback may overwrite SELECTED_AUTH_SCHEME, calls applyInterceptorModifiedProperties() which re-applies interceptor-modified properties using the same diff logic.

AuthSchemeResolver — Added mergePreExistingAuthSchemeProperties() and applyInterceptorModifiedProperties() with the diff-based merge logic.

ExecutionAttributeBackwardsCompatibilityTest — Removed the 3 attribute exclusions from the beforeExecution test. Previously, beforeExecution couldn't override signing region, signing name, and double-url-encode because endpoint rules would overwrite them. With the fix, all interceptor stages can now override all signer properties.

Testing

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

Checklist

• I have read the CONTRIBUTING document
• Local run of mvn install succeeds
• My code follows the code style of this project
• My change requires a change to the Javadoc documentation
• I have updated the Javadoc documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
• My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

• I confirm that this pull request can be released under the Apache 2 license

[alextwoods]

nit, duplicated /**?

[alextwoods]

Have we benchmarked this? I'm a little concerned about the performance impact - I'm wondering if theres some way we could at least short circuit this when no interceptors have run. Or can we do an identity check on the authSchemeOption (like beforeInterceptors.authSchemeOption() == selectedAuthScheme.authSchemeOption() ) -since they are immutable, if you change them, it requires building a new object, so could be a quick way to see if any mutation has happened?

[S-Saranya1]

Good point! Added the check to skips the merge when no interceptors have run.