FULL PRODUCT VERSION :
java version "9.0.1"
Java(TM) SE Runtime Environment (build 9.0.1+11)
Java HotSpot(TM) 64-Bit Server VM (build 9.0.1+11, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Darwin ms2.judepereira.com 17.2.0 Darwin Kernel Version 17.2.0: Mon Sep 18 15:44:59 PDT 2017; root:xnu-4570.20.55~19/RELEASE_X86_64 x86_64
A DESCRIPTION OF THE PROBLEM :
According to the spec, the "authorization" header can have various values. However, the only one Java 9's HttpClient supports is "basic".
If I set a custom "authorization" header as follows, HttpClient ignores it completely:
HttpRequest.newBuilder().header("authorization", "bearer " + token);
The cause is that when it creates the immutable map for user headers, it checks a list called ALLOWED_HEADERS (jdk.incubator.http.internal.common.Utils#ALLOWED_HEADERS).
This list contains "authorization" as a forbidden user header. Therefore, it prevents any custom "authorization" header other than "basic".
REGRESSION. Last worked in version 8u152
ADDITIONAL REGRESSION INFORMATION:
It's possible in using HttpsUrlConnection as follows:
HttpsURLConnection#setRequestProperty("authorization", "bearer " + token)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It's a flaw in the implementation itself.
EXPECTED VERSUS ACTUAL BEHAVIOR :
When I set a custom authorization header, it must be respected.
The authorization header is removed.
This bug can be reproduced always.