OkHttp是否在重定向上发送授权和其他可能敏感的标头?

本文介绍了OkHttp是否在重定向上发送授权和其他可能敏感的标头?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在通过Apache NiFi过渡使用OkHttp.我试图确定如何在重定向时处理授权和其他敏感标头.关于重定向，NiFi的InvokeHTTP处理器与OkHttp进行的唯一交互是此处，它在其中读取处理器属性并将选项设置为OkHttpClientBuilder对象:

I'm using OkHttp transitively through Apache NiFi. I'm attempting to determine how Authorization and other sensitive headers are handled on redirect. The only interaction that NiFi's InvokeHTTP processor has with OkHttp in regards to redirects is here, where it reads a processor property and sets the option on the OkHttpClientBuilder object:

// Set whether to follow redirects okHttpClientBuilder.followRedirects(context.getProperty(PROP_FOLLOW_REDIRECTS).asBoolean());

快速 在OkHttp的源中进行搜索，我似乎无法识别重定向的位置，以验证是否从后续请求中删除了Authorization.会期望的.出于安全原因，cURL只是最近采用了该行为.

Quickly searching through the source of OkHttp, I cannot seem to identify where redirects are handled in order to verify that Authorization is stripped from subsequent requests, as I would expect. cURL just recently adopted that behavior for security reasons.

推荐答案

它发生在 RetryAndFollowUpInterceptor .

// When redirecting across hosts, drop all authentication headers. This // is potentially annoying to the application layer since they have no // way to retain them. if (!sameConnection(userResponse, url)) { requestBuilder.removeHeader("Authorization"); }