Reputation: 262464
getRequestProperty("Authorization") always returns null
I am trying to read the authorization header for an HTTP request (because I need to add something to it), but I always get null for the header value. Other headers work fine.
public void testAuth() throws MalformedURLException, IOException{
URLConnection request = new URL("http://google.com").openConnection();
request.setRequestProperty("Authorization", "MyHeader");
request.setRequestProperty("Stackoverflow", "anotherHeader");
// works fine
assertEquals("anotherHeader", request.getRequestProperty("Stackoverflow"));
// Auth header returns null
assertEquals("MyHeader", request.getRequestProperty("Authorization"));
}
Am I doing something wrong? Is this a "security" feature? Is there a way to make this work with URLConnection, or do I need to use another HTTP client library?
Upvotes: 20
Views: 9412
Answers (4)
Reputation: 4647
As Devon's answer correctly states: it's not a bug, it's a "security" feature 😉
But you don't have to switch to a different library: it is always possible to access the underlying MessageHeader-collection via reflection and extract the "Authorization"-header value.
After some headscratch i've managed to come up with a working snippet here.
Upvotes: 0
Reputation: 16518
Apparently, it's a security "feature". The URLConnection is actually an instance of sun.net.www.protocol.http.HttpURLConnection. It defines getRequestProperty as:
public String getRequestProperty (String key) {
// don't return headers containing security sensitive information
if (key != null) {
for (int i=0; i < EXCLUDE_HEADERS.length; i++) {
if (key.equalsIgnoreCase(EXCLUDE_HEADERS[i])) {
return null;
}
}
}
return requests.findValue(key);
}
The EXCLUDE_HEADERS array is defined as:
// the following http request headers should NOT have their values
// returned for security reasons.
private static final String[] EXCLUDE_HEADERS = {
"Proxy-Authorization",
"Authorization"
};
Upvotes: 30
Reputation: 262464
I am not happy about the extra dependencies, but following the suggestion to switch to Commons Http solved the immediate problem for me.
I'd still like to know what the problem was with my original code.
Upvotes: 0
Reputation: 89169
Have you tried using URLConnection.addRequestProperty()?
This is how I use to add HTTP Request Headers.
Upvotes: -1
Related Questions
- HttpURLConnection - Authorization header always is null
- HTTP request is not working, setting Authorization using setRequestProperty method
- HTTPGet using Auth Token throwing error code 403
- Java bug - Can't add Authorization to HttpURLConnection set/addRequestProperty()
- OAuth2 requesting token returns 401
- HttpURLConnection conn.getRequestProperty return null
- HttpURLConnection - Authorization Header is missing?
- Unable to set Authorization header of HttpsURLConnection
- Passing authorization header for oauth token request
- Setting the oauth "Authorization"header in Java - Android