From 843ff2129c584060aed20fa0329592c903af12da Mon Sep 17 00:00:00 2001 From: Arturo Bernal Date: Mon, 6 Jan 2025 22:31:27 +0100 Subject: [PATCH] Fix HTTPCLIENT-2354 by updating ResponseCachingPolicy to allow caching of responses with "must-revalidate, max-age=0" in shared caches with Authorization headers. The change aligns with RFC 9111 Section 5.2.2.2, ensuring responses with "must-revalidate," "s-maxage," or "public" directives are cacheable. This addresses cases where responses with Authorization headers were unnecessarily excluded from caching. --- .../impl/cache/ResponseCachingPolicy.java | 2 +- .../impl/cache/TestResponseCachingPolicy.java | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/httpclient5-cache/src/main/java/org/apache/hc/client5/http/impl/cache/ResponseCachingPolicy.java b/httpclient5-cache/src/main/java/org/apache/hc/client5/http/impl/cache/ResponseCachingPolicy.java index e18aef36e8..9672fe2dcc 100644 --- a/httpclient5-cache/src/main/java/org/apache/hc/client5/http/impl/cache/ResponseCachingPolicy.java +++ b/httpclient5-cache/src/main/java/org/apache/hc/client5/http/impl/cache/ResponseCachingPolicy.java @@ -145,7 +145,7 @@ public boolean isResponseCacheable(final ResponseCacheControl cacheControl, fina if (sharedCache) { if (request.containsHeader(HttpHeaders.AUTHORIZATION) && cacheControl.getSharedMaxAge() == -1 && - !cacheControl.isPublic()) { + !(cacheControl.isPublic() || cacheControl.isMustRevalidate())) { LOG.debug("Request contains private credentials"); return false; } diff --git a/httpclient5-cache/src/test/java/org/apache/hc/client5/http/impl/cache/TestResponseCachingPolicy.java b/httpclient5-cache/src/test/java/org/apache/hc/client5/http/impl/cache/TestResponseCachingPolicy.java index d87debe50c..bdddf7cfeb 100644 --- a/httpclient5-cache/src/test/java/org/apache/hc/client5/http/impl/cache/TestResponseCachingPolicy.java +++ b/httpclient5-cache/src/test/java/org/apache/hc/client5/http/impl/cache/TestResponseCachingPolicy.java @@ -944,4 +944,60 @@ void testImmutableAndFreshResponseIsCacheable() { Assertions.assertTrue(policy.isResponseCacheable(responseCacheControl, request, response)); } + + @Test + void testPublicWithAuthorizationIsCacheable() { + request = new BasicHttpRequest("GET", "/resource"); + request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q="); + response.setHeader("Cache-Control", "public"); + responseCacheControl = ResponseCacheControl.builder() + .setCachePublic(true) + .build(); + + final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response); + Assertions.assertTrue(isCacheable, + "Response with public directive and Authorization header should be cacheable in shared cache."); + } + + @Test + void testSMaxageWithAuthorizationIsCacheable() { + request = new BasicHttpRequest("GET", "/resource"); + request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q="); + response.setHeader("Cache-Control", "s-maxage=60"); + responseCacheControl = ResponseCacheControl.builder() + .setSharedMaxAge(60) + .build(); + + final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response); + Assertions.assertTrue(isCacheable, + "Response with s-maxage and Authorization header should be cacheable in shared cache."); + } + + @Test + void testNoDirectivesWithAuthorizationNotCacheable() { + request = new BasicHttpRequest("GET", "/resource"); + request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q="); + response.setHeader("Cache-Control", ""); + responseCacheControl = ResponseCacheControl.builder() + .build(); + + final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response); + Assertions.assertFalse(isCacheable, + "Response without must-revalidate, public, or s-maxage should not be cacheable with Authorization header."); + } + + @Test + void testMustRevalidateWithAuthorizationIsCacheable() { + request = new BasicHttpRequest("GET", "/resource"); + request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q="); + response.setHeader("Cache-Control", "must-revalidate"); + responseCacheControl = ResponseCacheControl.builder() + .setMustRevalidate(true) + .build(); + + final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response); + Assertions.assertTrue(isCacheable, + "Response with must-revalidate and Authorization header should be cacheable in shared cache."); + } + } \ No newline at end of file