[OPENAM-8689] javascript httpClient appends headers as querystring parameters Created: 08/Apr/16  Updated: 20/Nov/16  Resolved: 18/Apr/16

Status: Resolved
Project: OpenAM
Component/s: policy, scripting
Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 13.0.0
Fix Version/s: 12.0.4, 13.5.0

Type: Bug Priority: Major
Reporter: Eric Wirkerman Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: 0h
Time Spent: 2h
Original Estimate: 0h

Target Version/s:
Rank: 1|hzl5f3:
Sprint: AM Sustaining Sprint 20
Support Ticket IDs:


Following the example "Scripted Policy Condition", I created the below script.

var response = httpClient.get("http://localhost.localdomain.com:8082/openidm/managed/user/1d1cd0df-5962-49b4-a316-cb083762b667?_fields=*%2Ctenant%2Ctenant%2FSKUs%2Ctenant%2FSKUs%2F*",
        cookies: [],
        headers: [
				field: "Content-Type",
				value: "application/json"
				field: "X-OpenIDM-Username",
				value: "eric"
				field: "X-OpenIDM-Password",
				value: "Password1"

var body = JSON.parse(response.getEntity());
if (body.tenant.SKUs[0] !== null) {
	authorized = true; 

function logResponse(response) {
    logger.error("User REST Call. Status: " + response.getStatusCode() + ", Body: " + response.getEntity());

To get a better idea of the request that was going out, I set up a simple ncat listener on port 8082. I found that the headers I was passing in my script were being appended as querystring parameters.

Outbound HTTP Request
GET /openidm/managed/user/1d1cd0df-5962-49b4-a316-cb083762b667?_fields=*%2Ctenant%2Ctenant%2FSKUs%2Ctenant%2FSKUs%2F*?X-OpenIDM-Username=eric&X-OpenIDM-Password=Password1&Content-Type=application%2Fjson HTTP/1.1
Date: Fri, 08 Apr 2016 00:01:34 GMT
Accept: */*
User-Agent: Restlet-Framework/2.3.4
Cache-Control: no-cache
Pragma: no-cache
Host: localhost.localdomain.com:8082
Connection: keep-alive

I found that the class executing this was using org.forgerock.openam.scripting.api.http.JavaScriptHttpClient, and the super class at org.forgerock.http.client.RestletHttpClient. The source (https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-http-client/src/main/java/org/forgerock/http/client/RestletHttpClient.java) has the following code on lines 62-67:

            if (headers != null) {
                for (Map header : headers) {
                    httpClientRequest.addQueryParameter((String) header.get("field"),
                            (String) header.get("value"));

This code would place all headers as querystring parameters.

Generated at Sat Feb 27 03:52:00 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.