Workaround spring-projects/spring-security#15989 (comment)
HttpHeaders.writeableHttpHeaders does not create writeable HttpHeaders if new HttpHeaders(readOnlyHttpHeaders) is passed in. This is required by Spring Security's StrictServerWebExchangeFirewall to perform lazy validation of the HttpHeaders name/value pairs.
Here is a complete, minimal test with no external dependencies that fails:
@Test
void writeHttpHeadersWhenNewHttpHeadersFails() {
HttpHeaders originalExchangeHeaders = HttpHeaders.readOnlyHttpHeaders(new HttpHeaders());
HttpHeaders firewallHeaders = new HttpHeaders(originalExchangeHeaders);
HttpHeaders writeable = HttpHeaders.writableHttpHeaders(firewallHeaders);
writeable.set("test", "this"); // throws UnsupportedOperationException
}This test demonstrates the issue with a little more context as to what is happening in StrictServerWebExchangeFirewall :
@Test
void writableHttpHeadersWhenStrictFirewallHttpHeadersFails() {
// originalExchangeHeaders is what is passed in to WebFilter by the framework
HttpHeaders originalExchangeHeaders = HttpHeaders.readOnlyHttpHeaders(new HttpHeaders());
// Spring Security replaces the headers with a firewalled set of headers that
// lazily validates headers as they are accessed
HttpHeaders firewallHeaders = new StrictFirewallHttpHeaders(originalExchangeHeaders);
// Spring Cloud attempts to modify the now firewalled HttpHeaders, but writeableHttpHeaders does not work
HttpHeaders writeable = HttpHeaders.writableHttpHeaders(firewallHeaders);
writeable.set("test", "this"); // throws UnsupportedOperationException
}
// minimal demonstration of Spring Security's HttpHeaders
private static class StrictFirewallHttpHeaders extends HttpHeaders {
private StrictFirewallHttpHeaders(HttpHeaders original) {
super(original);
}
@Override
public String getFirst(String headerName) {
String result = super.getFirst(headerName);
// validate headerName / result
return result;
}
// ... other validation
}Please make it so that HttpHeaders.writableHttpHeaders returns HttpHeaders that are writeable so Spring Cloud and Spring Security's StrictServerWebExchangeFirewall work together.
Workaround spring-projects/spring-security#15989 (comment)
HttpHeaders.writeableHttpHeadersdoes not create writeableHttpHeadersifnew HttpHeaders(readOnlyHttpHeaders)is passed in. This is required by Spring Security'sStrictServerWebExchangeFirewallto perform lazy validation of theHttpHeadersname/value pairs.Here is a complete, minimal test with no external dependencies that fails:
This test demonstrates the issue with a little more context as to what is happening in
StrictServerWebExchangeFirewall:Please make it so that
HttpHeaders.writableHttpHeadersreturnsHttpHeadersthat are writeable so Spring Cloud and Spring Security'sStrictServerWebExchangeFirewallwork together.