Hi,
It seems Camel has a default behaviour of echoing client headers, at
least for the CXF component that I tested with, e.g.:
from("cxf://http://localhost:8000/service.endpoint?dataFormat=POJO&serviceClass="beans.CXFdemobean";)
.log("message");
Calling it with: curl -H "xyz: whatever"
http://localhost:8000/service.endpoint -i
it includes in the response headers:
xyz: whatever
I know I have the option of adding a processor with:
exchange.getIn().removeHeaders("*");
However it seems to me very non-intuitive that any HTTP headers sent
by the client might be echoed back by default. There are potential
security concerns if for example, the Authorization header is sent
back to the client. I'm just wondering if this issue came up before or
if we would consider changing the default behaviour?
Thanks,
Colm.
