OkHttp 是否在重定向时发送授权和其他可能敏感的标头? [英] Does OkHttp send Authorization and other potentially sensitive headers on redirect?

问题描述

我通过 Apache NiFi 传递性地使用 OkHttp.我正在尝试确定如何在重定向时处理授权和其他敏感标头.NiFi 的 InvokeHTTP 处理器与 OkHttp 在重定向方面的唯一交互是 这里，它读取处理器属性并将选项设置为OkHttpClientBuilder 对象:

I'm using OkHttp transitively through Apache NiFi. I'm attempting to determine how Authorization and other sensitive headers are handled on redirect. The only interaction that NiFi's InvokeHTTP processor has with OkHttp in regards to redirects is here, where it reads a processor property and sets the option on the OkHttpClientBuilder object:

// Set whether to follow redirects
okHttpClientBuilder.followRedirects(context.getProperty(PROP_FOLLOW_REDIRECTS).asBoolean());

快速搜索 OkHttp 的来源，我似乎无法确定重定向在哪里处理以验证 Authorization 已从如我所料，随后的请求.cURL 只是出于安全原因最近采用了这种行为.

Quickly searching through the source of OkHttp, I cannot seem to identify where redirects are handled in order to verify that Authorization is stripped from subsequent requests, as I would expect. cURL just recently adopted that behavior for security reasons.

推荐答案

它发生在 RetryAndFollowUpInterceptor.

// When redirecting across hosts, drop all authentication headers. This
// is potentially annoying to the application layer since they have no
// way to retain them.
if (!sameConnection(userResponse, url)) {
  requestBuilder.removeHeader("Authorization");
}

这篇关于OkHttp 是否在重定向时发送授权和其他可能敏感的标头?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！