Create a different config setting for inbound and outbound HTTP1 header #7362
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…er validation for both client and server
Description
===========
Currently, Helidon 4 only support validate-headers config to validate headers for both inbound and outbound headers on both client and server. This change will bring separation on the configuration for both inbound and outbound headers on both client and server. The change will also remove performance impact for a singular config that would validate both outbound and inbound headers by default. By separating the configuration, only necessary headers will be validated by default. For example, the request headers on the client and the response headers on the server will not be validated by default because the user has control on their creation. On the other hand, the response headers on the client and the request headers on the server will be validated by default because the values they contain are unpredictable upon receipt and may contain malicious data. Following are new config options:
1. Client
a. validate-response-header (inbound) - Validates the client response headers and will default to true because the content is unpredictable.
b. validate-request-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation.
2. Server
b. validate-request-header (inbound) - Validates the server request headers and will default to true because the content is unpredictable..
a. validate-response-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation.
Details of the change:
=====================
1. Webserver
a. Http1ConfigBlueprint - replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively.
b. Http1Connection and HttpServerResponse - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation.
2. Webclient
a. Http1ClientProtocolConfigBlueprint = replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively.
b. Http1CallChainBase, Http1CallOutputStreamChain and Http1CallEntityChain - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation.
c. Http1ClientTest - Header validation related Unit test are adjusted to use validateRequestHeaders() and validateResponseHeaders() instead of their predecessor validateHeaders()
3. Integration tests for Webserver - all files changed will perform various scenarios to validate request or response headers on the client side.
4. Integration tests for Webclient - all files changed will perform various scenarios to validate request or response headers on the client side.
Documentation
=============
This is a configuration change so documentation will be collected from javadoc comments in Http1ConfigBlueprint.java for the Webserver and Http1ClientProtocolConfigBlueprint.java for Http1 Webclient.
Examples:
1. Http1 WebServer
```
ServerConnectionSelector http1 = Http1ConnectionSelector.builder()
.config(Http1Config.builder()
.validateRequestHeaders(true)
.validateResponseHeaders(false)
.build())
.build();
server.addConnectionSelector(http1);
```
2. Http1 WebClient
```
Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI)
.protocolConfig(it -> {
it.validateRequestHeaders(true);
it.validateResponseHeaders(false);
})
);
```
oracle-contributor-agreement
bot
added
the
OCA Verified
|
Will potentially resolve #7127 |
nima/webserver/webserver/src/main/java/io/helidon/nima/webserver/http1/Http1ServerResponse.java
Outdated
Show resolved
Hide resolved
…focused to ClientRequestImplTest anymore
…o use the new Headers and HeaderNames apis
…t integration test
tomas-langer
approved these changes
Aug 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Currently, Helidon 4 only support validate-headers config to validate headers for both inbound and outbound headers on both client and server. This change will bring separation on the configuration for both inbound and outbound headers on both client and server. The change will also remove performance impact for a singular config that would validate both outbound and inbound headers by default. By separating the configuration, only necessary headers will be validated by default. For example, the request headers on the client and the response headers on the server will not be validated by default because the user has control on their creation. On the other hand, the response headers on the client and the request headers on the server will be validated by default because the values they contain are unpredictable upon receipt and may contain malicious data. Following are new config options:
a. validate-response-header (inbound) - Validates the client response headers and will default to true because the content is unpredictable.
b. validate-request-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation.
a. validate-request-header (inbound) - Validates the server request headers and will default to true because the content is unpredictable.
b. validate-response-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation.
Details of the change:
a. Http1ConfigBlueprint - replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively.
b. Http1Connection and HttpServerResponse - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation.
a. Http1ClientProtocolConfigBlueprint = replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively.
b. Http1CallChainBase, Http1CallOutputStreamChain and Http1CallEntityChain - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation.
c. Http1ClientTest - Header validation related Unit test are adjusted to use validateRequestHeaders() and validateResponseHeaders() instead of their predecessor validateHeaders()
Documentation
This is a configuration change so documentation will be collected from javadoc comments in Http1ConfigBlueprint.java for the Webserver and Http1ClientProtocolConfigBlueprint.java for Http1 Webclient.
Examples: