[jboss-jira] [JBoss JIRA] (WFWIP-270) Configured headers can override headers added by the corresponding endpoint

Brian Stansberry (Jira) issues at jboss.org
Tue Nov 19 13:37:00 EST 2019 

    [ https://issues.jboss.org/browse/WFWIP-270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815086#comment-13815086 ] 

Brian Stansberry commented on WFWIP-270:
----------------------------------------

[~dlofthouse]+1 to your last paragraph in your long comment.

 Is the user attempting to specify a header that the endpoint already sets an important use case?  On an analysis comment you mention:

"A number of headers that we already set are known to be problematic"

Do you mean the values we set may not be what the user wants from a security POV, i.e. our current behavior is a problem? Or is 'problematic' just referring to this issue of not having clear control over override behavior?

I suggest going further than saying non-override behavior is 'not guaranteed' and go all the way to 'unspecified', e.g.

"If a constant-header is configured whose name is the same as one the endpoint provides without that configuration, whether the configured value will be used is unspecified and may change from release to release. Overriding the endpoint's headers is not encouraged."

Validation to reject ones we know shouldn't be set sounds good.

> Configured headers can override headers added by the corresponding endpoint
> ---------------------------------------------------------------------------
>
>                 Key: WFWIP-270
>                 URL: https://issues.jboss.org/browse/WFWIP-270
>             Project: WildFly WIP
>          Issue Type: Bug
>          Components: Security
>            Reporter: Tomas Terem
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>              Labels: management
>
> [Analysis document|https://github.com/wildfly/wildfly-proposals/pull/263] says that 
> 'Configured headers will not override any headers added by the corresponding endpoint.' 
> However, I was able to override Connection and Date headers on /management endpoint.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list