authorization headers exposed in log

[ghost]

when log level is set to debug, the request object is logged. this prints all headers, including authorization header. in case a user has implemented their own credentials mechanism, for example, since Realm object was not sufficient for the authorization scheme (or any other reason) sensitive information can leak. Bearer scheme authorization is one such example.

a simple fix is to not log authorization headers: when iterating the headers, if the header key is authorization, print something like * authorization data skipped *

this is a simple straighforward solution that is very robust, no matter why the user set headers themselves, no authorization header leak is possible (on the client side), assuming underlying implementation (such as netty) doesn't also log all headers.

[NagaKatreddi]

Looks like in the handleHttpResponse method in HttpHandler class, one can add something like below:

 HttpHeaders httpRequestHeaders = httpRequest.headers();
    StringBuilder sb = new StringBuilder();
    for (Map.Entry<String, String> header: httpRequestHeaders){
      if (header.getKey().equals("authorization")){
        logger.debug("Skipping authorization headers");
      } else {
        sb.append(header);
      }
    }
    logger.debug("\n\nRequest {}\n\nResponse {}\n", sb, response);