From 5ff515727dcee47b622f8ec1536898f33af7f8f0 Mon Sep 17 00:00:00 2001 From: Emily Tsanova Date: Fri, 7 Aug 2020 10:56:05 +0100 Subject: [PATCH 1/2] Exclude cookie headers by default from HTTP traces See gh-22829 --- .../META-INF/additional-spring-configuration-metadata.json | 1 - .../org/springframework/boot/actuate/trace/http/Include.java | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json index 1257ccd35ef..3aa62c37161 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json @@ -653,7 +653,6 @@ "defaultValue": [ "request-headers", "response-headers", - "cookies", "errors" ] }, diff --git a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/http/Include.java b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/http/Include.java index a33ef0bf2ae..de1caf4bd03 100644 --- a/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/http/Include.java +++ b/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/http/Include.java @@ -24,6 +24,8 @@ import java.util.Set; * Include options for HTTP tracing. * * @author Wallace Wadge + * @author Emily Tsanova + * @author Joseph Beeton * @since 2.0.0 */ public enum Include { @@ -55,6 +57,7 @@ public enum Include { PRINCIPAL, /** + * * Include the remote address. */ REMOTE_ADDRESS, @@ -75,7 +78,6 @@ public enum Include { Set defaultIncludes = new LinkedHashSet<>(); defaultIncludes.add(Include.REQUEST_HEADERS); defaultIncludes.add(Include.RESPONSE_HEADERS); - defaultIncludes.add(Include.COOKIE_HEADERS); defaultIncludes.add(Include.TIME_TAKEN); DEFAULT_INCLUDES = Collections.unmodifiableSet(defaultIncludes); } From e358144b2e846ecf5a827d526cb5037de9591ec8 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Tue, 11 Aug 2020 15:35:23 +0100 Subject: [PATCH 2/2] Polish "Exclude cookie headers by default from HTTP traces" See gh-22829 --- .../trace/http/HttpTraceProperties.java | 5 ++-- .../trace/http/HttpExchangeTracerTests.java | 24 +++++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/trace/http/HttpTraceProperties.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/trace/http/HttpTraceProperties.java index 92179e22f23..4a3f1391274 100644 --- a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/trace/http/HttpTraceProperties.java +++ b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/trace/http/HttpTraceProperties.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2019 the original author or authors. + * Copyright 2012-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,8 +37,7 @@ public class HttpTraceProperties { /** * Items to be included in the trace. Defaults to request headers (excluding - * Authorization but including Cookie), response headers (including Set-Cookie), and - * time taken. + * Authorization and Cookie), response headers (excluding Set-Cookie), and time taken. */ private Set include = new HashSet<>(Include.defaultIncludes()); diff --git a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/HttpExchangeTracerTests.java b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/HttpExchangeTracerTests.java index e2a9f3bf0e3..3b8a35fa6c8 100644 --- a/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/HttpExchangeTracerTests.java +++ b/spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/HttpExchangeTracerTests.java @@ -29,6 +29,7 @@ import org.junit.jupiter.api.Test; import org.springframework.boot.actuate.trace.http.HttpTrace.Request; import org.springframework.http.HttpHeaders; +import org.springframework.http.MediaType; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; @@ -270,6 +271,29 @@ class HttpExchangeTracerTests { assertThat(trace.getTimeTaken()).isNotNull(); } + @Test + void defaultIncludes() { + HttpHeaders requestHeaders = new HttpHeaders(); + requestHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON)); + requestHeaders.set(HttpHeaders.COOKIE, "value"); + requestHeaders.set(HttpHeaders.AUTHORIZATION, "secret"); + HttpExchangeTracer tracer = new HttpExchangeTracer(Include.defaultIncludes()); + HttpTrace trace = tracer.receivedRequest(createRequest(requestHeaders)); + HttpHeaders responseHeaders = new HttpHeaders(); + responseHeaders.set(HttpHeaders.SET_COOKIE, "test=test"); + responseHeaders.setContentLength(0); + tracer.sendingResponse(trace, createResponse(responseHeaders), this::createPrincipal, () -> "sessionId"); + assertThat(trace.getTimeTaken()).isNotNull(); + assertThat(trace.getPrincipal()).isNull(); + assertThat(trace.getSession()).isNull(); + assertThat(trace.getTimestamp()).isNotNull(); + assertThat(trace.getRequest().getMethod()).isEqualTo("GET"); + assertThat(trace.getRequest().getRemoteAddress()).isNull(); + assertThat(trace.getResponse().getStatus()).isEqualTo(204); + assertThat(trace.getRequest().getHeaders()).containsOnlyKeys(HttpHeaders.ACCEPT); + assertThat(trace.getResponse().getHeaders()).containsOnlyKeys(HttpHeaders.CONTENT_LENGTH); + } + private TraceableRequest createRequest() { return createRequest(Collections.singletonMap(HttpHeaders.ACCEPT, Arrays.asList("application/json"))); }