[
https://issues.apache.org/jira/browse/NIFI-11250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17724281#comment-17724281
]
David Handermann commented on NIFI-11250:
-----------------------------------------
The lack of support for sending a request body has been part of the InvokeHTTP
implementation since early versions, the HttpMethod enum captures that fact as
part of more recent refactoring.
The RFC 9110 reference indicates that a client {{SHOULD NOT}} generate content
for a {{DELETE}} request, unless the semantics are described elsewhere. From
that perspective, the RFC discourages sending content, but does not disallow it
as described. Allowing InvokeHTTP to send a {{DELETE}} request would involve
some code changes as well as adjusting dependent properties to clarify
behavior. Given the long-standing status of the current implementation,
changing this seems questionable.
[~benj_928381923] Do you have a reference to well-known service that supports
{{DELETE}} requests with a body?
> InvokeHTTP drops the Body when using the DELETE method
> ------------------------------------------------------
>
> Key: NIFI-11250
> URL: https://issues.apache.org/jira/browse/NIFI-11250
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Extensions
> Reporter: Benji Benning
> Assignee: David Handermann
> Priority: Major
>
> Today, InvokeHTTP drops the Body when the method used isn't PUT, POST, or
> PATCH (As stated in the documentation). RFC states that DELETE with body
> isn't generally used, but doesn't disallow it.
> In my case, i'm using InvokeHTTP to interact with Keycloak's Admin REST API.
> They use DELETE with body in quite a few cases. for example in my specific
> use case:
> [https://www.keycloak.org/docs-api/21.0.1/rest-api/#_role_mapper_resource]
> (referring to: Delete realm-level role mappings)
> Additional information:
> {noformat}
> Although request message framing is independent of the method used, content
> received in a DELETE request has no generally defined semantics, cannot alter
> the meaning or target of the request, and might lead some implementations to
> reject the request and close the connection because of its potential as a
> request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT
> generate content in a DELETE request unless it is made directly to an origin
> server that has previously indicated, in or out of band, that such a request
> has a purpose and will be adequately supported. An origin server SHOULD NOT
> rely on private agreements to receive content, since participants in HTTP
> communication are often unaware of intermediaries along the request
> chain.{noformat}
> [https://www.rfc-editor.org/rfc/rfc9110.html#name-delete]
>
> During discussion with Otto Fowler, he stated that this is disabled in the
> [HTTPMethod
> enum|https://github.com/apache/nifi/blob/7a47c8cfbd458ab037275762c385d50372c130a3/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/http/HttpMethod.java].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
