Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to remove authorization header in a http 302 response

Tags:

java

http

jersey

I am using Java / Jersy Framework(Tomcat) for REST API development. One such web service's functionality is to redirect(HTTP 302) to a S3 signed URL for a file. we use "Authorization" header to check the request's validity. When this web service is invoked the service generates a signed url with signature and redirect to the signed Url.

Java Code from REST Web Service (uri is the signed url)

return Response.status(HttpStatus.SCMOVEDTEMPORARILY).location(uri).build();

When the redirection happens the Authorization header is also passed along with the signature. Since Amazon accepts either Authorization or Signature in signed URL but not both it throws an error as below from Amazon S3..

Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified

Is there a way to remove this header being send while redirection happens ...

I tried adding a filter and which overrides the ServletResponse with a custom HttpServletResponseWrapper implementation and logged the header names in both addHeader and setHeader methods. It never calls this method for Authorization header.

Modified code as to set header as nulll or "" both did not work ..

return Response.status(HttpStatus.SCMOVEDTEMPORARILY).location(uri).header("Authorization",null).build();
return Response.status(HttpStatus.SCMOVEDTEMPORARILY).location(uri).header("Authorization","").build();
like image 419
Elango Avatar asked Feb 15 '16 03:02

Elango

1 Answers

Basically, the redirect response does not have any "Authorization" headers, the "Authorization" header is only part of the request. So this is normal behavior for any HTTP client to resend all the headers to redirect location which they have sent to the original URL. There is nothing that you can do here. But most of the HTTP clients will resend the "Authorization" header only if the redirect location is on the same domain/origin. In your case, you can try to create a separate domain for S3 URL and redirect to it and hope that clients HTTP client will drop "Authorization" header when it will detect that the domain is changed (that's a security issue to resend an "Authorization" header when following redirect to a new domain/origin).

like image 91
Babl Avatar answered Oct 25 '22 07:10

Babl
Sign in to Comment

Related questions

Maven package effective pom
How to set the max size of the Wildfly server log
What happens if I don't implement Serializable when using Hashmap
How to set character encoding in SOAP request
What is a right way to initialize fields in Spring Beans?
What is the access modifier of an anonymous class's constructor?
Spring Boot: Unable to configure
IntelliJ is generating private getters
Spring Testing - java.lang.IllegalArgumentException: Not enough variable values available to expand
Replace string in PDF file using Itext but letter X not replace
Tomcat Issue: Unsupported major.minor version 52.0 [duplicate]
Is this function (for loop) space complexity O(1) or O(n)?
Java-8 Stream returned by .map will be parallel or sequential?
JSON ORDER_MAP_ENTRIES_BY_KEYS not working consistently
How does a thread move from running to runnable state?
How do I turn a JSON file into a Java 8 Object Stream?
How to find the first character of a String without using any API method
Random but most likely 1 float
Java remote debugging overhead
Java prefix and unary operators together

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!