You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/08/01 18:45:33 UTC

[tomcat] branch 9.0.x updated: Filter "Authorization" rather than "WWW-Authenticate"

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new c762775da0 Filter "Authorization" rather than "WWW-Authenticate"
c762775da0 is described below

commit c762775da0b3872b1d924f8e3cd4ed3feb1b8130
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 1 19:45:08 2022 +0100

    Filter "Authorization" rather than "WWW-Authenticate"
---
 java/javax/servlet/http/HttpServlet.java     | 2 +-
 test/javax/servlet/http/TestHttpServlet.java | 4 ++--
 webapps/docs/config/ajp.xml                  | 6 +++---
 webapps/docs/config/http.xml                 | 6 +++---
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/java/javax/servlet/http/HttpServlet.java b/java/javax/servlet/http/HttpServlet.java
index 3ee5fa6abe..38d10b7958 100644
--- a/java/javax/servlet/http/HttpServlet.java
+++ b/java/javax/servlet/http/HttpServlet.java
@@ -101,7 +101,7 @@ public abstract class HttpServlet extends GenericServlet {
 
     static {
         SENSITIVE_HTTP_HEADERS.add("cookie");
-        SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+        SENSITIVE_HTTP_HEADERS.add("authorization");
     }
 
 
diff --git a/test/javax/servlet/http/TestHttpServlet.java b/test/javax/servlet/http/TestHttpServlet.java
index 4e683b0a15..3770f8f71a 100644
--- a/test/javax/servlet/http/TestHttpServlet.java
+++ b/test/javax/servlet/http/TestHttpServlet.java
@@ -317,7 +317,7 @@ public class TestHttpServlet extends TomcatBaseTest {
                 "X-aaa: a1, a2" + SimpleHttpClient.CRLF +
                 "X-aaa: a3" + SimpleHttpClient.CRLF +
                 "Cookie: c1-v1" + SimpleHttpClient.CRLF +
-                "WWW-Authenticate: not-a-real-credential" + SimpleHttpClient.CRLF +
+                "Authorization: not-a-real-credential" + SimpleHttpClient.CRLF +
                 SimpleHttpClient.CRLF});
         client.setUseContentLength(true);
 
@@ -338,7 +338,7 @@ public class TestHttpServlet extends TomcatBaseTest {
         // Sensitive headers (cookies, WWW-Authenticate) must not be reflected
         // (since RFC 7231)
         Assert.assertFalse(body.contains("cookie"));
-        Assert.assertFalse(body.contains("www-authenticate"));
+        Assert.assertFalse(body.contains("authorization"));
 
         client.disconnect();
     }
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 121d1de101..88a1a7b882 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -84,9 +84,9 @@
     <attribute name="allowTrace" required="false">
       <p>A boolean value which can be used to enable or disable the TRACE
       HTTP method. If not specified, this attribute is set to false. As per RFC
-      7231 section 4.3.8, cookie and www-authenticate headers will be excluded
-      from the response to the TRACE request. If you wish to include these, you
-      can implement the <code>doTrace()</code> method for the target Servlet and
+      7231 section 4.3.8, cookie and authorization headers will be excluded from
+      the response to the TRACE request. If you wish to include these, you can
+      implement the <code>doTrace()</code> method for the target Servlet and
       gain full control over the reponse.</p>
     </attribute>
 
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index d12f22639a..710cbbd9dd 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -80,9 +80,9 @@
     <attribute name="allowTrace" required="false">
       <p>A boolean value which can be used to enable or disable the TRACE
       HTTP method. If not specified, this attribute is set to false. As per RFC
-      7231 section 4.3.8, cookie and www-authenticate headers will be excluded
-      from the response to the TRACE request. If you wish to include these, you
-      can implement the <code>doTrace()</code> method for the target Servlet and
+      7231 section 4.3.8, cookie and authorization headers will be excluded from
+      the response to the TRACE request. If you wish to include these, you can
+      implement the <code>doTrace()</code> method for the target Servlet and
       gain full control over the reponse.</p>
     </attribute>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org