actinium15 commented on issue #30: SLING-8869 SimpleHttpDistributionTransport does not refresh the secret URL: https://github.com/apache/sling-org-apache-sling-distribution-core/pull/30#issuecomment-562238806 As always, thanks a lot for your support @tmaret! > The behaviour is similar to the #28. wrt the update of `Authorization` header this PR and #28 are identical - however, this PR additionally addresses the concern pointed out by you at [0] (secret-provider-impls updating the credentials without recreation of their Java objects). > we are using the fluent API it seems there's no way to set the authentication headers only when a 401 or 403 is returned. I concur. More precisely, while there's a way to update username/password via [`Executor.auth()`](http://hc.apache.org/httpcomponents-client-ga/fluent-hc/apidocs/org/apache/http/client/fluent/Executor.html#auth(java.lang.String,%20java.lang.String)), addition/update of a header needs to happen at the [`Request`](http://hc.apache.org/httpcomponents-client-ga/fluent-hc/apidocs/org/apache/http/client/fluent/Request.html#addHeader(java.lang.String,%20java.lang.String)) level, which we won't have _until_ the next invocation of `.deliverPackage`, by which time we won't know if the previous call resulted in 401 and we need a fresh secret as the `Authorization` header value. Eviction of an `Executor` after it results in 401 comes with the cost of losing `HttpClient` contained within it (as mentioned at [1]). Though I understood that you chose to pick #28 because we don't want to move away from Fluent HTTP APIs just yet, I don't quite understand what's specifically incorrect [with asking for most up-to-date secrets from the configured secret provider right before every request ](https://github.com/apache/sling-org-apache-sling-distribution-core/pull/30/files#diff-655676dd8d087baa718f7d228e7ca866R131)[2]. Is invocation of `secretProvider.getSecret()` before every request the concern? (I expect well-behaved secret-provider impl to be able to cache/check-for-expiry/regenerate the secrets) It'd be very helpful if you could explain your reservations with the approach this PR takes in a bit more detail. Thanks! [0] https://issues.apache.org/jira/browse/SLING-8869?focusedCommentId=16988627 [1] https://issues.apache.org/jira/browse/SLING-8869?focusedCommentId=16988653 [2] https://github.com/apache/sling-org-apache-sling-distribution-core/pull/30/files#diff-655676dd8d087baa718f7d228e7ca866R250-R251
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services