Date header and Java 11 HTTP client

Thomas Lußnig openjdk at suche.org
Wed Oct 31 17:46:08 UTC 2018 

Hi all,

from the count of problems that are upcomming with these limits.
I think there should be an switch to allowing all header. Because why 
limit them?
Anyone who wan't to misuse them can to it via plain "Socket" or 
SslSocket without limit.
I think there are more samples why these limit is bad. So simply remove 
that check at all.
And allow any header.

Gruß Thomas

On 31.10.2018 17:31:16, Anders Wisch wrote:
> Hi all,
>
> Why does the new Java 11 HTTP client disallow sending the date header 
> (https://tools.ietf.org/html/rfc7231#section-7.1.1.2) with a request? 
> I was excited to convert a bunch of code to use the new built-in HTTP 
> client, and by chance, the first use case I picked was this:
>
>     String date = Http.toHttpDate(Instant.now());
>     String sessionToken = credentials.sessionToken();
>     String signature = signRequest(uri, date, sessionToken,
>     credentials.secretAccessKey());
>     return httpClient.send(HttpRequest.newBuilder(uri).GET()
>     .header("Date", date)
>     .header("Authorization", "AWS " + credentials.accessKeyId() + ':'
>     + signature)
>     .header("x-amz-security-token", sessionToken)
>     .build(), HttpResponse.BodyHandlers.ofByteArray());
>
>
> This snippet is following AWS’s instructions here - 
> https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials - 
> on how to use temporary credentials to sign a request to S3. Since the 
> date header is part of what we’re signing, we need to either define or 
> obtain its value (though the new client doesn’t send it). I found only 
> one person on the net-dev mailing list discussing the date header 
> (specifically why he thought it shouldn’t be restricted): 
> http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html
>
> Thanks,
> Anders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20181031/cccd8dc6/attachment.html>

More information about the net-dev mailing list