JDK-8194729 : Java 9's HttpClient doesn't allow custom "Authorization" headers
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 9.0.1,10
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: os_x
  • CPU: x86_64
  • Submitted: 2018-01-04
  • Updated: 2018-05-28
  • Resolved: 2018-01-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11
11Fixed
Related Reports
Relates :  
Description
FULL PRODUCT VERSION :
java version "9.0.1"
Java(TM) SE Runtime Environment (build 9.0.1+11)
Java HotSpot(TM) 64-Bit Server VM (build 9.0.1+11, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Darwin ms2.judepereira.com 17.2.0 Darwin Kernel Version 17.2.0: Mon Sep 18 15:44:59 PDT 2017; root:xnu-4570.20.55~19/RELEASE_X86_64 x86_64

A DESCRIPTION OF THE PROBLEM :
According to the spec, the "authorization" header can have various values. However, the only one Java 9's HttpClient supports is "basic".

If I set a custom "authorization" header as follows, HttpClient ignores it completely:
HttpRequest.newBuilder().header("authorization", "bearer " + token);

The cause is that when it creates the immutable map for user headers, it checks a list called ALLOWED_HEADERS (jdk.incubator.http.internal.common.Utils#ALLOWED_HEADERS).
This list contains "authorization" as a forbidden user header. Therefore, it prevents any custom "authorization" header other than "basic".

REGRESSION.  Last worked in version 8u152

ADDITIONAL REGRESSION INFORMATION: 
It's possible in using HttpsUrlConnection as follows:
HttpsURLConnection#setRequestProperty("authorization", "bearer " + token)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It's a flaw in the implementation itself.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
When I set a custom authorization header, it must be respected.
ACTUAL -
The authorization header is removed.

REPRODUCIBILITY :
This bug can be reproduced always.


Comments
Fixed in sandbox - http-client-branch http://hg.openjdk.java.net/jdk/sandbox/rev/db102c5ca88a
19-01-2018

This is NOT a regression. Yes HttpURLConnection allows it, but HttpClient is a different API. That said, if an Authenticator is not set then it should be possible to perform authentication manually by setting/inspecting the relevant request/response headers.
08-01-2018