StoRM Webdav should drop Authorization header in TPC redirects

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major
    • 1.11.18
    • Affects Version/s: None
    • Component/s: webdav
    • Security Level: Public (Visbile by non-authn users.)
    • None

      Citing Paul Millar:
      "It is a fairly well established convention that an HTTP client should drop the Authorization HTTP request header from subsequent requests if the server replies with a redirection (30x) status code. It is expected that any authorisation needed for the subsequent request is handled by the redirecting server (e.g., by including an authz token in the redirection URL)."

      StoRM uses the Commons HTTP Client library which, by default, includes the header in the redirect.

            Assignee:
            Unassigned
            Reporter:
            Andrea Ceccanti
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: