HTTPCLIENT-2277: Do not store AUTHORIZATION request header in the cache entry per RFC 9111 section 3.5

This commit is contained in:
Oleg Kalnichevski 2023-10-23 10:14:39 +02:00
parent 1492f57a84
commit fcb86dae11
2 changed files with 6 additions and 1 deletions

View File

@ -212,6 +212,8 @@ public class HttpCacheEntryFactory {
final String s = CacheKeyGenerator.getRequestUri(host, request); final String s = CacheKeyGenerator.getRequestUri(host, request);
final URI uri = CacheKeyGenerator.normalize(s); final URI uri = CacheKeyGenerator.normalize(s);
final HeaderGroup requestHeaders = filterHopByHopHeaders(request); final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
// Strip AUTHORIZATION from request headers
requestHeaders.removeHeaders(HttpHeaders.AUTHORIZATION);
final HeaderGroup responseHeaders = filterHopByHopHeaders(response); final HeaderGroup responseHeaders = filterHopByHopHeaders(response);
ensureDate(responseHeaders, responseInstant); ensureDate(responseHeaders, responseInstant);
return new HttpCacheEntry( return new HttpCacheEntry(
@ -256,6 +258,8 @@ public class HttpCacheEntryFactory {
final String s = CacheKeyGenerator.getRequestUri(host, request); final String s = CacheKeyGenerator.getRequestUri(host, request);
final URI uri = CacheKeyGenerator.normalize(s); final URI uri = CacheKeyGenerator.normalize(s);
final HeaderGroup requestHeaders = filterHopByHopHeaders(request); final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
// Strip AUTHORIZATION from request headers
requestHeaders.removeHeaders(HttpHeaders.AUTHORIZATION);
final HeaderGroup mergedHeaders = mergeHeaders(entry, response); final HeaderGroup mergedHeaders = mergeHeaders(entry, response);
return new HttpCacheEntry( return new HttpCacheEntry(
requestInstant, requestInstant,

View File

@ -273,7 +273,8 @@ public class TestHttpCacheEntryFactory {
new BasicHeader("Keep-Alive", "timeout, max=20"), new BasicHeader("Keep-Alive", "timeout, max=20"),
new BasicHeader("X-custom", "my stuff"), new BasicHeader("X-custom", "my stuff"),
new BasicHeader(HttpHeaders.ACCEPT, "stuff"), new BasicHeader(HttpHeaders.ACCEPT, "stuff"),
new BasicHeader(HttpHeaders.ACCEPT_LANGUAGE, "en, de") new BasicHeader(HttpHeaders.ACCEPT_LANGUAGE, "en, de"),
new BasicHeader(HttpHeaders.AUTHORIZATION, "Super secret")
); );
response.setHeaders( response.setHeaders(
new BasicHeader(HttpHeaders.TRANSFER_ENCODING, "identity"), new BasicHeader(HttpHeaders.TRANSFER_ENCODING, "identity"),