This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 11dcab795a Filter "Authorization" rather than "WWW-Authenticate"
11dcab795a is described below
commit 11dcab795affc031d99839e8109fd2dc49187c63
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Aug 1 19:45:08 2022 +0100
Filter "Authorization" rather than "WWW-Authenticate"
---
java/jakarta/servlet/http/HttpServlet.java | 2 +-
test/jakarta/servlet/http/TestHttpServlet.java | 4 ++--
webapps/docs/config/ajp.xml | 6 +++---
webapps/docs/config/http.xml | 6 +++---
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/java/jakarta/servlet/http/HttpServlet.java
b/java/jakarta/servlet/http/HttpServlet.java
index a2d8d51cca..5af390bba7 100644
--- a/java/jakarta/servlet/http/HttpServlet.java
+++ b/java/jakarta/servlet/http/HttpServlet.java
@@ -108,7 +108,7 @@ public abstract class HttpServlet extends GenericServlet {
static {
SENSITIVE_HTTP_HEADERS.add("cookie");
- SENSITIVE_HTTP_HEADERS.add("www-authenticate");
+ SENSITIVE_HTTP_HEADERS.add("authorization");
}
diff --git a/test/jakarta/servlet/http/TestHttpServlet.java
b/test/jakarta/servlet/http/TestHttpServlet.java
index 44174e009a..e12bcd54be 100644
--- a/test/jakarta/servlet/http/TestHttpServlet.java
+++ b/test/jakarta/servlet/http/TestHttpServlet.java
@@ -317,7 +317,7 @@ public class TestHttpServlet extends TomcatBaseTest {
"X-aaa: a1, a2" + SimpleHttpClient.CRLF +
"X-aaa: a3" + SimpleHttpClient.CRLF +
"Cookie: c1-v1" + SimpleHttpClient.CRLF +
- "WWW-Authenticate: not-a-real-credential" +
SimpleHttpClient.CRLF +
+ "Authorization: not-a-real-credential" + SimpleHttpClient.CRLF
+
SimpleHttpClient.CRLF});
client.setUseContentLength(true);
@@ -338,7 +338,7 @@ public class TestHttpServlet extends TomcatBaseTest {
// Sensitive headers (cookies, WWW-Authenticate) must not be reflected
// (since RFC 7231)
Assert.assertFalse(body.contains("cookie"));
- Assert.assertFalse(body.contains("www-authenticate"));
+ Assert.assertFalse(body.contains("authorization"));
client.disconnect();
}
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index 1a3cccdeaa..0fe0864d2f 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -93,9 +93,9 @@
<attribute name="allowTrace" required="false">
<p>A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the <code>doTrace()</code> method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the <code>doTrace()</code> method for the target Servlet and
gain full control over the reponse.</p>
</attribute>
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 6c716bfe99..6427c85bac 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -89,9 +89,9 @@
<attribute name="allowTrace" required="false">
<p>A boolean value which can be used to enable or disable the TRACE
HTTP method. If not specified, this attribute is set to false. As per RFC
- 7231 section 4.3.8, cookie and www-authenticate headers will be excluded
- from the response to the TRACE request. If you wish to include these, you
- can implement the <code>doTrace()</code> method for the target Servlet
and
+ 7231 section 4.3.8, cookie and authorization headers will be excluded
from
+ the response to the TRACE request. If you wish to include these, you can
+ implement the <code>doTrace()</code> method for the target Servlet and
gain full control over the reponse.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
