diff --git a/make/sun/net/FILES_java.gmk b/make/sun/net/FILES_java.gmk
index 576159c4799c835652c0e6b9b71bb47dcd18449c..e2a9b7d6f0ebd409944d0049afd61606f5d89037 100644
--- a/make/sun/net/FILES_java.gmk
+++ b/make/sun/net/FILES_java.gmk
@@ -100,6 +100,7 @@ FILES_java = \
 	sun/net/www/protocol/http/NegotiateAuthentication.java \
 	sun/net/www/protocol/http/Negotiator.java \
 	sun/net/www/protocol/http/ntlm/NTLMAuthentication.java \
+	sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java \
 	sun/net/www/protocol/http/spnego/NegotiatorImpl.java \
 	sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java \
 	sun/net/www/protocol/http/logging/HttpLogFormatter.java \
diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
index 69f12a5c601117c4931afd8a82da3bcabbc47aab..afc8cea03082acd542de21e81c31430c5492ce62 100644
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@@ -2173,6 +2173,13 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                         if (tryTransparentNTLMServer) {
                             tryTransparentNTLMServer =
                                     NTLMAuthenticationProxy.proxy.supportsTransparentAuth;
+                            /* If the platform supports transparent authentication
+                             * then check if we are in a secure environment
+                             * whether, or not, we should try transparent authentication.*/
+                            if (tryTransparentNTLMServer) {
+                                tryTransparentNTLMServer =
+                                        NTLMAuthenticationProxy.proxy.isTrustedSite(url);
+                            }
                         }
                         a = null;
                         if (tryTransparentNTLMServer) {
diff --git a/src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java b/src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java
index a998d2b1226e726c4c739d1a8d05779982f1815f..b235a0bed175f71e5b77a367b1ccabd3ddf5cc9a 100644
--- a/src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java
+++ b/src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java
@@ -36,12 +36,14 @@ import sun.util.logging.PlatformLogger;
  */
 class NTLMAuthenticationProxy {
     private static Method supportsTA;
+    private static Method isTrustedSite;
     private static final String clazzStr = "sun.net.www.protocol.http.ntlm.NTLMAuthentication";
     private static final String supportsTAStr = "supportsTransparentAuth";
+    private static final String isTrustedSiteStr = "isTrustedSite";
 
     static final NTLMAuthenticationProxy proxy = tryLoadNTLMAuthentication();
     static final boolean supported = proxy != null ? true : false;
-    static final boolean supportsTransparentAuth = supported ? supportsTransparentAuth(supportsTA) : false;
+    static final boolean supportsTransparentAuth = supported ? supportsTransparentAuth() : false;
 
     private final Constructor<? extends AuthenticationInfo> threeArgCtr;
     private final Constructor<? extends AuthenticationInfo> fiveArgCtr;
@@ -82,9 +84,22 @@ class NTLMAuthenticationProxy {
      * authentication (try with the current users credentials before
      * prompting for username and password, etc).
      */
-    private static boolean supportsTransparentAuth(Method method) {
+    private static boolean supportsTransparentAuth() {
         try {
-            return (Boolean)method.invoke(null);
+            return (Boolean)supportsTA.invoke(null);
+        } catch (ReflectiveOperationException roe) {
+            finest(roe);
+        }
+
+        return false;
+    }
+
+    /* Transparent authentication should only be tried with a trusted
+     * site ( when running in a secure environment ).
+     */
+    public static boolean isTrustedSite(URL url) {
+        try {
+            return (Boolean)isTrustedSite.invoke(null, url);
         } catch (ReflectiveOperationException roe) {
             finest(roe);
         }
@@ -112,6 +127,7 @@ class NTLMAuthenticationProxy {
                                             int.class,
                                             PasswordAuthentication.class);
                 supportsTA = cl.getDeclaredMethod(supportsTAStr);
+                isTrustedSite = cl.getDeclaredMethod(isTrustedSiteStr, java.net.URL.class);
                 return new NTLMAuthenticationProxy(threeArg,
                                                    fiveArg);
             }
diff --git a/src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java b/src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java
new file mode 100644
index 0000000000000000000000000000000000000000..92886311e0973b9cf7b277c27f13f2dc6a1752d2
--- /dev/null
+++ b/src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.net.www.protocol.http.ntlm;
+
+import java.net.URL;
+
+/**
+ * This class is used to call back to deployment to determine if a given
+ * URL is trusted. Transparent authentication (try with logged in users
+ * credentials without prompting) should only be tried with trusted sites.
+ */
+public abstract class NTLMAuthenticationCallback {
+    private static volatile NTLMAuthenticationCallback callback =
+            new DefaultNTLMAuthenticationCallback();
+
+    public static void setNTLMAuthenticationCallback(
+            NTLMAuthenticationCallback callback) {
+        NTLMAuthenticationCallback.callback = callback;
+    }
+
+    public static NTLMAuthenticationCallback getNTLMAuthenticationCallback() {
+        return callback;
+    }
+
+    /**
+     * Returns true if the given site is trusted, i.e. we can try
+     * transparent Authentication.
+     */
+    public abstract boolean isTrustedSite(URL url);
+
+    static class DefaultNTLMAuthenticationCallback extends NTLMAuthenticationCallback {
+        @Override
+        public boolean isTrustedSite(URL url) { return true; }
+    }
+}
+
diff --git a/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java b/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java
index 5ad8b8d54d80aebf2a09012c325b061a771fffaa..be2426d7f722cb9bb3ca60e47d2cd0a12fa9fcbe 100644
--- a/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java
+++ b/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java
@@ -68,6 +68,9 @@ import sun.net.www.protocol.http.HttpURLConnection;
 public class NTLMAuthentication extends AuthenticationInfo {
     private static final long serialVersionUID = 170L;
 
+    private static final NTLMAuthenticationCallback NTLMAuthCallback =
+        NTLMAuthenticationCallback.getNTLMAuthenticationCallback();
+
     private String hostname;
     private static String defaultDomain; /* Domain to use if not specified by user */
 
@@ -81,6 +84,14 @@ public class NTLMAuthentication extends AuthenticationInfo {
         return false;
     }
 
+    /**
+     * Returns true if the given site is trusted, i.e. we can try
+     * transparent Authentication.
+     */
+    public static boolean isTrustedSite(URL url) {
+        return NTLMAuthCallback.isTrustedSite(url);
+    }
+
     private void init0() {
 
         hostname = java.security.AccessController.doPrivileged(
diff --git a/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java b/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java
index c9c26517d9b8a99fb8af4fa613a7d9e7dfd96139..c4b20db6495695d830e040395db5671291e07016 100644
--- a/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java
+++ b/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java
@@ -45,6 +45,9 @@ public class NTLMAuthentication extends AuthenticationInfo {
 
     private static final long serialVersionUID = 100L;
 
+    private static final NTLMAuthenticationCallback NTLMAuthCallback =
+        NTLMAuthenticationCallback.getNTLMAuthenticationCallback();
+
     private String hostname;
     private static String defaultDomain; /* Domain to use if not specified by user */
 
@@ -142,6 +145,14 @@ public class NTLMAuthentication extends AuthenticationInfo {
         return true;
     }
 
+    /**
+     * Returns true if the given site is trusted, i.e. we can try
+     * transparent Authentication.
+     */
+    public static boolean isTrustedSite(URL url) {
+        return NTLMAuthCallback.isTrustedSite(url);
+    }
+
     /**
      * Not supported. Must use the setHeaders() method
      */