19

I am trying to read the authorization header for an HTTP request (because I need to add something to it), but I always get null for the header value. Other headers work fine.

public void testAuth() throws MalformedURLException, IOException{
    URLConnection request = new URL("http://google.com").openConnection();
    request.setRequestProperty("Authorization", "MyHeader");
    request.setRequestProperty("Stackoverflow", "anotherHeader");
    // works fine
    assertEquals("anotherHeader", request.getRequestProperty("Stackoverflow"));
    // Auth header returns null
    assertEquals("MyHeader", request.getRequestProperty("Authorization"));
}

Am I doing something wrong? Is this a "security" feature? Is there a way to make this work with URLConnection, or do I need to use another HTTP client library?

Thilo
  • 257,207
  • 101
  • 511
  • 656

4 Answers4

29

Apparently, it's a security "feature". The URLConnection is actually an instance of sun.net.www.protocol.http.HttpURLConnection. It defines getRequestProperty as:

    public String getRequestProperty (String key) {
        // don't return headers containing security sensitive information
        if (key != null) {
            for (int i=0; i < EXCLUDE_HEADERS.length; i++) {
                if (key.equalsIgnoreCase(EXCLUDE_HEADERS[i])) {
                    return null;
                }
            }
        }
        return requests.findValue(key);
    }

The EXCLUDE_HEADERS array is defined as:

   // the following http request headers should NOT have their values
   // returned for security reasons.
   private static final String[] EXCLUDE_HEADERS = {
           "Proxy-Authorization",
           "Authorization"
   };
Devon_C_Miller
  • 16,248
  • 3
  • 45
  • 71
  • 1
    That would explain it. And also why the same code works fine on Google App Engine (where they use their own implementation of HttpUrlConnection). – Thilo May 21 '10 at 07:18
0

I am not happy about the extra dependencies, but following the suggestion to switch to Commons Http solved the immediate problem for me.

I'd still like to know what the problem was with my original code.

Community
  • 1
  • 1
Thilo
  • 257,207
  • 101
  • 511
  • 656
0

As Devon's answer correctly states: it's not a bug, it's a "security" feature

But you don't have to switch to a different library: it is always possible to access the underlying MessageHeader-collection via reflection and extract the "Authorization"-header value.

After some headscratch i've managed to come up with a working snippet here.

Philzen
  • 3,945
  • 30
  • 46
-1

Have you tried using URLConnection.addRequestProperty()? This is how I use to add HTTP Request Headers.

Buhake Sindi
  • 87,898
  • 29
  • 167
  • 228
  • same result: the other header works, Authorization stays null – Thilo May 19 '10 at 09:05
  • Have you tried something like `request.addRequestProperty("Authorization", "Basic " + hashed("username:password"));` where `hashed` is Base64 hash of the string? See if your `assertEquals` return the result. – Buhake Sindi May 19 '10 at 09:12
  • 1
    Even so, I used OAuth Authentication using URLConnection and it works for me. If that doesn't work, use HTTP Client from Apache (Strongly recommended). – Buhake Sindi May 19 '10 at 09:26
  • This should've been a comment on the post. – Lawrence Dol Feb 25 '21 at 04:09