Skip to content

HttpHeaders.writeableHttpHeaders(new HttpHeaders(readOnlyHttpHeaders)) is not writeable #33789

New issue
New issue
Closed
Closed
HttpHeaders.writeableHttpHeaders(new HttpHeaders(readOnlyHttpHeaders)) is not writeable#33789
Assignees
bclozel
Labels
in: webIssues in web modules (web, webmvc, webflux, websocket)type: bugA general bug
Milestone
 
6.1.15
@rwinch

Description

@rwinch
rwinch
opened on Oct 24, 2024

Workaround spring-projects/spring-security#15989 (comment)

HttpHeaders.writeableHttpHeaders does not create writeable HttpHeaders if new HttpHeaders(readOnlyHttpHeaders) is passed in. This is required by Spring Security's StrictServerWebExchangeFirewall to perform lazy validation of the HttpHeaders name/value pairs.

Here is a complete, minimal test with no external dependencies that fails:

@Test
void writeHttpHeadersWhenNewHttpHeadersFails() {
	HttpHeaders originalExchangeHeaders = HttpHeaders.readOnlyHttpHeaders(new HttpHeaders());
	HttpHeaders firewallHeaders = new HttpHeaders(originalExchangeHeaders);
	HttpHeaders writeable = HttpHeaders.writableHttpHeaders(firewallHeaders);
	writeable.set("test", "this"); // throws UnsupportedOperationException
}

This test demonstrates the issue with a little more context as to what is happening in StrictServerWebExchangeFirewall :

@Test
void writableHttpHeadersWhenStrictFirewallHttpHeadersFails() {
	// originalExchangeHeaders is what is passed in to WebFilter by the framework
	HttpHeaders originalExchangeHeaders = HttpHeaders.readOnlyHttpHeaders(new HttpHeaders());
	// Spring Security replaces the headers with a firewalled set of headers that
	// lazily validates headers as they are accessed
	HttpHeaders firewallHeaders = new StrictFirewallHttpHeaders(originalExchangeHeaders);
	// Spring Cloud attempts to modify the now firewalled HttpHeaders, but writeableHttpHeaders does not work
	HttpHeaders writeable = HttpHeaders.writableHttpHeaders(firewallHeaders);
	writeable.set("test", "this"); // throws UnsupportedOperationException
}

// minimal demonstration of Spring Security's HttpHeaders
private static class StrictFirewallHttpHeaders extends HttpHeaders {
	private StrictFirewallHttpHeaders(HttpHeaders original) {
		super(original);
	}

	@Override
	public String getFirst(String headerName) {
		String result = super.getFirst(headerName);
		// validate headerName / result
		return result;
	}

	// ... other validation
}

Please make it so that HttpHeaders.writableHttpHeaders returns HttpHeaders that are writeable so Spring Cloud and Spring Security's StrictServerWebExchangeFirewall work together.

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions