Exclude authorization header from trace by default

Closes gh-7974

Exclude authorization header from trace by default
Closes gh-7974
e73c6bb2 · Madhura Bhave · a5a382b8 · e73c6bb2 · e73c6bb2 · e73c6bb2
Commit e73c6bb2 authored Jan 18, 2017 by Madhura Bhave
3 changed files
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/TraceProperties.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/TraceProperties.java
@@ -29,6 +29,7 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
 * @author Wallace Wadge
 * @author Phillip Webb
 * @author Venil Noronha
+ * @author Madhura Bhave
 * @since 1.3.0
 */
 @ConfigurationProperties(prefix = "management.trace")
@@ -79,6 +80,11 @@ public class TraceProperties {
 		 */
 		COOKIES,

+		/**
+		 * Include authorization header (if any).
+		 */
+		AUTHORIZATION_HEADER,
+
 		/**
 		 * Include errors (if any).
 		 */

--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/WebRequestTraceFilter.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/WebRequestTraceFilter.java
@@ -20,9 +20,11 @@ import java.io.IOException;
 import java.security.Principal;
 import java.util.Collections;
 import java.util.Enumeration;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;

 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -49,6 +51,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
 * @author Wallace Wadge
 * @author Andy Wilkinson
 * @author Venil Noronha
+ * @author Madhura Bhave
 */
 public class WebRequestTraceFilter extends OncePerRequestFilter implements Ordered {

@@ -151,8 +154,18 @@ public class WebRequestTraceFilter extends OncePerRequestFilter implements Order
 	private Map<String, Object> getRequestHeaders(HttpServletRequest request) {
 		Map<String, Object> headers = new LinkedHashMap<String, Object>();
 		Enumeration<String> names = request.getHeaderNames();
+		Set<String> excludedHeaders = new HashSet<String>();
+		if (!isIncluded(Include.COOKIES)) {
+			excludedHeaders.add("cookie");
+		}
+		if (!isIncluded(Include.AUTHORIZATION_HEADER)) {
+			excludedHeaders.add("authorization");
+		}
 		while (names.hasMoreElements()) {
 			String name = names.nextElement();
+			if (excludedHeaders.contains(name.toLowerCase())) {
+				continue;
+			}
 			List<String> values = Collections.list(request.getHeaders(name));
 			Object value = values;
 			if (values.size() == 1) {
@@ -163,9 +176,6 @@ public class WebRequestTraceFilter extends OncePerRequestFilter implements Order
 			}
 			headers.put(name, value);
 		}
-		if (!isIncluded(Include.COOKIES)) {
-			headers.remove("Cookie");
-		}
 		postProcessRequestHeaders(headers);
 		return headers;
 	}

--- a/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/WebRequestTraceFilterTests.java
+++ b/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/WebRequestTraceFilterTests.java
@@ -51,6 +51,7 @@ import static org.mockito.Mockito.verify;
 * @author Andy Wilkinson
 * @author Venil Noronha
 * @author Stephane Nicoll
+ * @author Madhura Bhave
 */
 public class WebRequestTraceFilterTests {

@@ -168,6 +169,43 @@ public class WebRequestTraceFilterTests {
 		assertThat(map.get("request").toString()).isEqualTo("{Accept=application/json}");
 	}

+	@Test
+	@SuppressWarnings({ "unchecked" })
+	public void filterDoesNotAddAuthorizationHeaderWithoutAuthorizationHeaderInclude()
+			throws ServletException, IOException {
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/foo");
+		request.addHeader("Authorization", "my-auth-header");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		this.filter.doFilterInternal(request, response, new FilterChain() {
+			@Override
+			public void doFilter(ServletRequest request, ServletResponse response)
+					throws IOException, ServletException {
+			}
+		});
+		Map<String, Object> info = this.repository.findAll().iterator().next().getInfo();
+		Map<String, Object> headers = (Map<String, Object>) info.get("headers");
+		assertThat(((Map) headers.get("request"))).hasSize(0);
+	}
+
+	@Test
+	@SuppressWarnings({ "unchecked" })
+	public void filterAddsAuthorizationHeaderWhenAuthorizationHeaderIncluded()
+			throws ServletException, IOException {
+		this.properties.setInclude(EnumSet.of(Include.REQUEST_HEADERS, Include.AUTHORIZATION_HEADER));
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/foo");
+		request.addHeader("Authorization", "my-auth-header");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		this.filter.doFilterInternal(request, response, new FilterChain() {
+			@Override
+			public void doFilter(ServletRequest request, ServletResponse response)
+					throws IOException, ServletException {
+			}
+		});
+		Map<String, Object> info = this.repository.findAll().iterator().next().getInfo();
+		Map<String, Object> headers = (Map<String, Object>) info.get("headers");
+		assertThat(((Map) headers.get("request"))).containsKey("Authorization");
+	}
+
 	@Test
 	@SuppressWarnings({ "unchecked" })
 	public void filterDoesNotAddResponseCookiesWithCookiesExclude()