You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/06/01 01:49:00 UTC

[jira] [Commented] (NIFI-11250) InvokeHTTP drops the Body when using the DELETE method

    [ https://issues.apache.org/jira/browse/NIFI-11250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17728180#comment-17728180 ] 

David Handermann commented on NIFI-11250:
-----------------------------------------

Thanks for the reply [~benj_928381923], and the pointer back to the Keycloak REST API reference, that is helpful.

Keycloak is certainly widely used, and with InvokeHTTP supporting such a wide range of use cases, it seems like making an adjustment here would be warranted.

> InvokeHTTP drops the Body when using the DELETE method
> ------------------------------------------------------
>
>                 Key: NIFI-11250
>                 URL: https://issues.apache.org/jira/browse/NIFI-11250
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Benji Benning
>            Assignee: David Handermann
>            Priority: Major
>
> Today, InvokeHTTP drops the Body when the method used isn't PUT, POST, or PATCH  (As stated in the documentation). RFC states that DELETE with body isn't generally used, but doesn't disallow it.
> In my case, i'm using InvokeHTTP to interact with Keycloak's Admin REST API. They use DELETE with body in quite a few cases. for example in my specific use case:
> [https://www.keycloak.org/docs-api/21.0.1/rest-api/#_role_mapper_resource]
> (referring to: Delete realm-level role mappings)
> Additional information:
> {noformat}
> Although request message framing is independent of the method used, content received in a DELETE request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT generate content in a DELETE request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. An origin server SHOULD NOT rely on private agreements to receive content, since participants in HTTP communication are often unaware of intermediaries along the request chain.{noformat}
> [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete] 
>  
> During discussion with Otto Fowler, he stated that this is disabled in the [HTTPMethod enum|https://github.com/apache/nifi/blob/7a47c8cfbd458ab037275762c385d50372c130a3/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/http/HttpMethod.java].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)