Date header and Java 11 HTTP client

Michael McMahon michael.x.mcmahon at oracle.com
Wed Oct 31 17:49:49 UTC 2018 

We have filed

https://bugs.openjdk.java.net/browse/JDK-8213189
"Make restricted headers in HTTP Client configurable and remove Date by 
default"

which should deal with this finally.

- Michael


On 31/10/2018, 17:46, Thomas Lußnig wrote:
>
> Hi all,
>
> from the count of problems that are upcomming with these limits.
> I think there should be an switch to allowing all header. Because why 
> limit them?
> Anyone who wan't to misuse them can to it via plain "Socket" or 
> SslSocket without limit.
> I think there are more samples why these limit is bad. So simply 
> remove that check at all.
> And allow any header.
>
> Gruß Thomas
>
> On 31.10.2018 17:31:16, Anders Wisch wrote:
>> Hi all,
>>
>> Why does the new Java 11 HTTP client disallow sending the date header 
>> (https://tools.ietf.org/html/rfc7231#section-7.1.1.2) with a request? 
>> I was excited to convert a bunch of code to use the new built-in HTTP 
>> client, and by chance, the first use case I picked was this:
>>
>>     String date = Http.toHttpDate(Instant.now());
>>     String sessionToken = credentials.sessionToken();
>>     String signature = signRequest(uri, date, sessionToken,
>>     credentials.secretAccessKey());
>>     return httpClient.send(HttpRequest.newBuilder(uri).GET()
>>             .header("Date", date)
>>             .header("Authorization", "AWS " +
>>     credentials.accessKeyId() + ':' + signature)
>>             .header("x-amz-security-token", sessionToken)
>>             .build(), HttpResponse.BodyHandlers.ofByteArray());
>>
>>
>> This snippet is following AWS’s instructions here - 
>> https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#UsingTemporarySecurityCredentials - 
>> on how to use temporary credentials to sign a request to S3. Since 
>> the date header is part of what we’re signing, we need to either 
>> define or obtain its value (though the new client doesn’t send it). I 
>> found only one person on the net-dev mailing list discussing the date 
>> header (specifically why he thought it shouldn’t be restricted): 
>> http://mail.openjdk.java.net/pipermail/net-dev/2016-March/009608.html
>>
>> Thanks,
>> Anders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20181031/7cb7d395/attachment-0001.html>

More information about the net-dev mailing list