HTTPCLIENT-2277: Do not store AUTHORIZATION request header in the cache entry per RFC 9111 section 3.5

httpclient5-cache/src/main/java/org/apache/hc/client5/http/cache/HttpCacheEntryFactory.java

@@ -212,6 +212,8 @@ public class HttpCacheEntryFactory {
         final String s = CacheKeyGenerator.getRequestUri(host, request);
         final URI uri = CacheKeyGenerator.normalize(s);
         final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
+        // Strip AUTHORIZATION from request headers
+        requestHeaders.removeHeaders(HttpHeaders.AUTHORIZATION);
         final HeaderGroup responseHeaders = filterHopByHopHeaders(response);
         ensureDate(responseHeaders, responseInstant);
         return new HttpCacheEntry(
@@ -256,6 +258,8 @@ public class HttpCacheEntryFactory {
         final String s = CacheKeyGenerator.getRequestUri(host, request);
         final URI uri = CacheKeyGenerator.normalize(s);
         final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
+        // Strip AUTHORIZATION from request headers
+        requestHeaders.removeHeaders(HttpHeaders.AUTHORIZATION);
         final HeaderGroup mergedHeaders = mergeHeaders(entry, response);
         return new HttpCacheEntry(
                 requestInstant,

httpclient5-cache/src/test/java/org/apache/hc/client5/http/cache/TestHttpCacheEntryFactory.java

@@ -273,7 +273,8 @@ public class TestHttpCacheEntryFactory {
                 new BasicHeader("Keep-Alive", "timeout, max=20"),
                 new BasicHeader("X-custom", "my stuff"),
                 new BasicHeader(HttpHeaders.ACCEPT, "stuff"),
-                new BasicHeader(HttpHeaders.ACCEPT_LANGUAGE, "en, de")
+                new BasicHeader(HttpHeaders.ACCEPT_LANGUAGE, "en, de"),
+                new BasicHeader(HttpHeaders.AUTHORIZATION, "Super secret")
         );
         response.setHeaders(
                 new BasicHeader(HttpHeaders.TRANSFER_ENCODING, "identity"),