Hi all,
Why does the new Java 11 HTTP client disallow sending the date header
(https://tools.ietf.org/html/rfc7231#section-7.1.1.2) with a request? I was
excited to convert a bunch of code to use the new built-in HTTP client, and by
chance, the first use case I picked was this:
String date = Http.toHttpDate(Instant.now());
String sessionToken = credentials.sessionToken();
String signature = signRequest(uri, date, sessionToken,
credentials.secretAccessKey());
return httpClient.send(HttpRequest.newBuilder(uri).GET()
.header("Date", date)
.header("Authorization", "AWS " + credentials.accessKeyId() + ':' +
signature)
.header("x-amz-security-token", sessionToken)
.build(), HttpResponse.BodyHandlers.ofByteArray());
This snippet is following AWS’s instructions here -
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials
- on how to use temporary credentials to sign a request to S3. Since the date
header is part of what we’re signing, we need to either define or obtain its
value (though the new client doesn’t send it). I found only one person on the
net-dev mailing list discussing the date header (specifically why he thought it
shouldn’t be restricted):
http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html
<http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html>
Thanks,
Anders
