问题描述
我正在通过Apache NiFi过渡使用OkHttp.我试图确定如何在重定向时处理授权和其他敏感标头.关于重定向,NiFi的InvokeHTTP处理器与OkHttp进行的唯一交互是此处,它在其中读取处理器属性并将选项设置为OkHttpClientBuilder对象:
I'm using OkHttp transitively through Apache NiFi. I'm attempting to determine how Authorization and other sensitive headers are handled on redirect. The only interaction that NiFi's InvokeHTTP processor has with OkHttp in regards to redirects is here, where it reads a processor property and sets the option on the OkHttpClientBuilder object:
// Set whether to follow redirects
okHttpClientBuilder.followRedirects(context.getProperty(PROP_FOLLOW_REDIRECTS).asBoolean());
快速 在OkHttp的源中进行搜索,我似乎无法识别重定向的位置,以验证是否从后续请求中删除了Authorization
.会期望的.出于安全原因,cURL只是最近采用了该行为.
Quickly searching through the source of OkHttp, I cannot seem to identify where redirects are handled in order to verify that Authorization
is stripped from subsequent requests, as I would expect. cURL just recently adopted that behavior for security reasons.
推荐答案
它发生在 RetryAndFollowUpInterceptor .
// When redirecting across hosts, drop all authentication headers. This
// is potentially annoying to the application layer since they have no
// way to retain them.
if (!sameConnection(userResponse, url)) {
requestBuilder.removeHeader("Authorization");
}
这篇关于OkHttp是否在重定向上发送授权和其他可能敏感的标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!