-
Notifications
You must be signed in to change notification settings - Fork 562
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a different config setting for inbound and outbound HTTP1 header #7362
Create a different config setting for inbound and outbound HTTP1 header #7362
Commits on Aug 11, 2023
-
Create a different config setting for inbound and outbound HTTP1 head…
…er validation for both client and server Description =========== Currently, Helidon 4 only support validate-headers config to validate headers for both inbound and outbound headers on both client and server. This change will bring separation on the configuration for both inbound and outbound headers on both client and server. The change will also remove performance impact for a singular config that would validate both outbound and inbound headers by default. By separating the configuration, only necessary headers will be validated by default. For example, the request headers on the client and the response headers on the server will not be validated by default because the user has control on their creation. On the other hand, the response headers on the client and the request headers on the server will be validated by default because the values they contain are unpredictable upon receipt and may contain malicious data. Following are new config options: 1. Client a. validate-response-header (inbound) - Validates the client response headers and will default to true because the content is unpredictable. b. validate-request-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation. 2. Server b. validate-request-header (inbound) - Validates the server request headers and will default to true because the content is unpredictable.. a. validate-response-header (outbound) - Validates the client request headers and will default to false because the user has control on header creation. Details of the change: ===================== 1. Webserver a. Http1ConfigBlueprint - replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively. b. Http1Connection and HttpServerResponse - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation. 2. Webclient a. Http1ClientProtocolConfigBlueprint = replace validateHeaders() with validateRequestHeaders() and validateResponseHeaders() to allow separate validation control of request headers and response headers, respectively. b. Http1CallChainBase, Http1CallOutputStreamChain and Http1CallEntityChain - will process validateRequestHeaders() and validateResponseHeaders() on their corresponding areas of validation. c. Http1ClientTest - Header validation related Unit test are adjusted to use validateRequestHeaders() and validateResponseHeaders() instead of their predecessor validateHeaders() 3. Integration tests for Webserver - all files changed will perform various scenarios to validate request or response headers on the client side. 4. Integration tests for Webclient - all files changed will perform various scenarios to validate request or response headers on the client side. Documentation ============= This is a configuration change so documentation will be collected from javadoc comments in Http1ConfigBlueprint.java for the Webserver and Http1ClientProtocolConfigBlueprint.java for Http1 Webclient. Examples: 1. Http1 WebServer ``` ServerConnectionSelector http1 = Http1ConnectionSelector.builder() .config(Http1Config.builder() .validateRequestHeaders(true) .validateResponseHeaders(false) .build()) .build(); server.addConnectionSelector(http1); ``` 2. Http1 WebClient ``` Http1Client client = Http1Client.create(clientConfig -> clientConfig.baseUri(baseURI) .protocolConfig(it -> { it.validateRequestHeaders(true); it.validateResponseHeaders(false); }) ); ```
Configuration menu - View commit details
-
Copy full SHA for dbff190 - Browse repository at this point
Copy the full SHA dbff190View commit details -
Configuration menu - View commit details
-
Copy full SHA for ab4a4ef - Browse repository at this point
Copy the full SHA ab4a4efView commit details -
Rename ClientRequestImplTest class to Http1ClientTest as this is not …
…focused to ClientRequestImplTest anymore
Configuration menu - View commit details
-
Copy full SHA for 32313d9 - Browse repository at this point
Copy the full SHA 32313d9View commit details -
Update ValidateHeadersTest in tests/integration/webclient/webclient t…
…o use the new Headers and HeaderNames apis
Configuration menu - View commit details
-
Copy full SHA for 7967092 - Browse repository at this point
Copy the full SHA 7967092View commit details
Commits on Aug 14, 2023
-
Fix inadvertent removal of http2 webclient dependency in the webclien…
…t integration test
Configuration menu - View commit details
-
Copy full SHA for 44ee17e - Browse repository at this point
Copy the full SHA 44ee17eView commit details