We have filed
https://bugs.openjdk.java.net/browse/JDK-8213189
"Make restricted headers in HTTP Client configurable and remove Date by
default"
which should deal with this finally.
- Michael
On 31/10/2018, 17:46, Thomas Lußnig wrote:
Hi all,
from the count of problems that are upcomming with these limits.
I think there should be an switch to allowing all header. Because why
limit them?
Anyone who wan't to misuse them can to it via plain "Socket" or
SslSocket without limit.
I think there are more samples why these limit is bad. So simply
remove that check at all.
And allow any header.
Gruß Thomas
On 31.10.2018 17:31:16, Anders Wisch wrote:
Hi all,
Why does the new Java 11 HTTP client disallow sending the date header
(https://tools.ietf.org/html/rfc7231#section-7.1.1.2) with a request?
I was excited to convert a bunch of code to use the new built-in HTTP
client, and by chance, the first use case I picked was this:
String date = Http.toHttpDate(Instant.now());
String sessionToken = credentials.sessionToken();
String signature = signRequest(uri, date, sessionToken,
credentials.secretAccessKey());
return httpClient.send(HttpRequest.newBuilder(uri).GET()
.header("Date", date)
.header("Authorization", "AWS " +
credentials.accessKeyId() + ':' + signature)
.header("x-amz-security-token", sessionToken)
.build(), HttpResponse.BodyHandlers.ofByteArray());
This snippet is following AWS’s instructions here -
https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials -
on how to use temporary credentials to sign a request to S3. Since
the date header is part of what we’re signing, we need to either
define or obtain its value (though the new client doesn’t send it). I
found only one person on the net-dev mailing list discussing the date
header (specifically why he thought it shouldn’t be restricted):
http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html
Thanks,
Anders
