HTTPCLIENT-2277: Do not store AUTHORIZATION request header in the cache entry per RFC 9111 section 3.5
This commit is contained in:
parent
1492f57a84
commit
fcb86dae11
|
@ -212,6 +212,8 @@ public class HttpCacheEntryFactory {
|
||||||
final String s = CacheKeyGenerator.getRequestUri(host, request);
|
final String s = CacheKeyGenerator.getRequestUri(host, request);
|
||||||
final URI uri = CacheKeyGenerator.normalize(s);
|
final URI uri = CacheKeyGenerator.normalize(s);
|
||||||
final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
|
final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
|
||||||
|
// Strip AUTHORIZATION from request headers
|
||||||
|
requestHeaders.removeHeaders(HttpHeaders.AUTHORIZATION);
|
||||||
final HeaderGroup responseHeaders = filterHopByHopHeaders(response);
|
final HeaderGroup responseHeaders = filterHopByHopHeaders(response);
|
||||||
ensureDate(responseHeaders, responseInstant);
|
ensureDate(responseHeaders, responseInstant);
|
||||||
return new HttpCacheEntry(
|
return new HttpCacheEntry(
|
||||||
|
@ -256,6 +258,8 @@ public class HttpCacheEntryFactory {
|
||||||
final String s = CacheKeyGenerator.getRequestUri(host, request);
|
final String s = CacheKeyGenerator.getRequestUri(host, request);
|
||||||
final URI uri = CacheKeyGenerator.normalize(s);
|
final URI uri = CacheKeyGenerator.normalize(s);
|
||||||
final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
|
final HeaderGroup requestHeaders = filterHopByHopHeaders(request);
|
||||||
|
// Strip AUTHORIZATION from request headers
|
||||||
|
requestHeaders.removeHeaders(HttpHeaders.AUTHORIZATION);
|
||||||
final HeaderGroup mergedHeaders = mergeHeaders(entry, response);
|
final HeaderGroup mergedHeaders = mergeHeaders(entry, response);
|
||||||
return new HttpCacheEntry(
|
return new HttpCacheEntry(
|
||||||
requestInstant,
|
requestInstant,
|
||||||
|
|
|
@ -273,7 +273,8 @@ public class TestHttpCacheEntryFactory {
|
||||||
new BasicHeader("Keep-Alive", "timeout, max=20"),
|
new BasicHeader("Keep-Alive", "timeout, max=20"),
|
||||||
new BasicHeader("X-custom", "my stuff"),
|
new BasicHeader("X-custom", "my stuff"),
|
||||||
new BasicHeader(HttpHeaders.ACCEPT, "stuff"),
|
new BasicHeader(HttpHeaders.ACCEPT, "stuff"),
|
||||||
new BasicHeader(HttpHeaders.ACCEPT_LANGUAGE, "en, de")
|
new BasicHeader(HttpHeaders.ACCEPT_LANGUAGE, "en, de"),
|
||||||
|
new BasicHeader(HttpHeaders.AUTHORIZATION, "Super secret")
|
||||||
);
|
);
|
||||||
response.setHeaders(
|
response.setHeaders(
|
||||||
new BasicHeader(HttpHeaders.TRANSFER_ENCODING, "identity"),
|
new BasicHeader(HttpHeaders.TRANSFER_ENCODING, "identity"),
|
||||||
|
|
Loading…
Reference in New Issue