[
https://issues.jboss.org/browse/WFWIP-270?page=com.atlassian.jira.plugin....
]
Brian Stansberry commented on WFWIP-270:
----------------------------------------
[~dlofthouse]+1 to your last paragraph in your long comment.
Is the user attempting to specify a header that the endpoint already sets an important
use case? On an analysis comment you mention:
"A number of headers that we already set are known to be problematic"
Do you mean the values we set may not be what the user wants from a security POV, i.e. our
current behavior is a problem? Or is 'problematic' just referring to this issue of
not having clear control over override behavior?
I suggest going further than saying non-override behavior is 'not guaranteed' and
go all the way to 'unspecified', e.g.
"If a constant-header is configured whose name is the same as one the endpoint
provides without that configuration, whether the configured value will be used is
unspecified and may change from release to release. Overriding the endpoint's headers
is not encouraged."
Validation to reject ones we know shouldn't be set sounds good.
Configured headers can override headers added by the corresponding
endpoint
---------------------------------------------------------------------------
Key: WFWIP-270
URL:
https://issues.jboss.org/browse/WFWIP-270
Project: WildFly WIP
Issue Type: Bug
Components: Security
Reporter: Tomas Terem
Assignee: Darran Lofthouse
Priority: Blocker
Labels: management
[Analysis
document|https://github.com/wildfly/wildfly-proposals/pull/263] says that
'Configured headers will not override any headers added by the corresponding
endpoint.'
However, I was able to override Connection and Date headers on /management endpoint.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)