Date header and Java 11 HTTP client
Anders Wisch
anders at featureshock.com
Wed Oct 31 16:31:16 UTC 2018
Hi all,
Why does the new Java 11 HTTP client disallow sending the date header (https://tools.ietf.org/html/rfc7231#section-7.1.1.2) with a request? I was excited to convert a bunch of code to use the new built-in HTTP client, and by chance, the first use case I picked was this:
String date = Http.toHttpDate(Instant.now());
String sessionToken = credentials.sessionToken();
String signature = signRequest(uri, date, sessionToken, credentials.secretAccessKey());
return httpClient.send(HttpRequest.newBuilder(uri).GET()
.header("Date", date)
.header("Authorization", "AWS " + credentials.accessKeyId() + ':' + signature)
.header("x-amz-security-token", sessionToken)
.build(), HttpResponse.BodyHandlers.ofByteArray());
This snippet is following AWS’s instructions here - https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials - on how to use temporary credentials to sign a request to S3. Since the date header is part of what we’re signing, we need to either define or obtain its value (though the new client doesn’t send it). I found only one person on the net-dev mailing list discussing the date header (specifically why he thought it shouldn’t be restricted): http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html <http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html>
Thanks,
Anders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20181031/b6838b17/attachment.html>
More information about the net-dev
mailing list