hevinhsu commented on PR #9294: URL: https://github.com/apache/ozone/pull/9294#issuecomment-3540405392
> Could you give some examples here? Currently I think we only check that all the headers in `X-Amz-SignedHeaders` should exist in the request headers. Regarding the actual HTTP header value, I think it should be calculated based on the AWS4 signature? Hi @ivandika3, I added a test ([link](https://github.com/hevinhsu/ozone/blob/expect-invalid-request-test/hadoop-ozone/integration-test-s3/src/test/java/org/apache/hadoop/ozone/s3/awssdk/v2/AbstractS3SDKV2Tests.java#L542-L579)) to check if requests with conflicting `X-Amz-Security-Token` in both header and query are properly rejected. According to the S3 spec, this should fail, but the request currently succeeds. Please let me know if you have any suggestions! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
