spring-cloud/spring-cloud-gateway

Disable Apache client5 cookie manager by default

Open

#3311 opened on Mar 20, 2024

View on GitHub
 (8 comments) (0 reactions) (0 assignees)Java (4,284 stars) (3,204 forks)batch import
enhancementhelp wanted

Description

Describe the bug We have a tomcat between the gateway MVC (spring cloud 2023.0.0), some problem occured with the JDK httpclient (in java 17 they are problem with node), so we use the implementation of apache httpclient, our tomcat use cookie to pass the JSESSION ID (who is use for the session).

The problem is that the httpclient have the cookie manager activated and the httpclient are reused for all request.

I see two ways to correct this issue :

  • Disable the cookie manager of the httpclient
  • Recreate a new httpclient for all request

How to reproduce if we test with postman and the http interceptor with gateway mvc first call, http-interceptio log :

/test
Generated cookie : 2143473103

on postman we removed all cookie, and the second call :

/test
Request cookie : [a=2143473103]
Generated cookie : 1554856040

The previous cookie was found in the interceptor, because when the first call occured, the cookie in the response was add to the cookie manager of the httpclient, and is reused for the next request

Sample HTTP interceptor for test :

import com.sun.net.httpserver.HttpServer;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.charset.StandardCharsets;
import java.util.Random;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadPoolExecutor;

public class Main {

    public static void main(String[] args) throws IOException {

        ThreadPoolExecutor threadPoolExecutor = (ThreadPoolExecutor) Executors.newFixedThreadPool(10);

        HttpServer server = HttpServer.create(new InetSocketAddress("localhost", 9008), 0);
        server.createContext("/", exchange -> {
            System.out.println(exchange.getRequestURI());

            exchange.getRequestHeaders().entrySet().stream().filter(e -> e.getKey().toLowerCase().equals("cookie")).forEach(e -> System.out.println("Request cookie : " + e.getValue()));

            Random random = new Random();
            int cookie = random.nextInt();

            System.out.println("Generated cookie : " + cookie);

            exchange.getResponseHeaders().add("Set-Cookie", "a="+cookie);
            exchange.getResponseHeaders().add("a", "b");

            exchange.sendResponseHeaders(200, "OK".length());
            exchange.getResponseBody().write("OK".getBytes(StandardCharsets.UTF_8));

            exchange.getResponseBody().close();
        });
        server.setExecutor(threadPoolExecutor);
        server.start();
        System.out.println(" Server started on port 9008");
    }
}

gateway MVC : (spring initializr ) Main class :

@SpringBootApplication
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

	@Configuration
	public static class GatewayConfiguration {

		@Bean
		public RouterFunction<ServerResponse> routerFunction() {
			return route()
					.POST("/test", http("http://localhost:9008"))
					.build();
		}
	}
}

In maven we add :

<dependency>
	<groupId>org.apache.httpcomponents.client5</groupId>
	<artifactId>httpclient5</artifactId>
	<version>5.3.1</version>
</dependency>

And in the application.properties we add : spring.cloud.gateway.mvc.httpclient.type=AUTODETECT

Contributor guide

Tech stack
javaspring
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
JavaSpring BootApache HttpClient5
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Investigate the configuration of Apache HttpClient5 in Spring Cloud Gateway MVC. Locate the bean or factory that creates the HttpClient instance (likely in 'org.springframework.cloud.gateway.config' package). Modify the HttpClient builder to disable cookie management by calling 'disableCookieManagement()' or setting a custom CookieStore. Review the existing issue comments for additional context and maintainer feedback.