Merge pull request #22829 from emilytsanova

* gh-22829:
  Polish "Exclude cookie headers by default from HTTP traces"
  Exclude cookie headers by default from HTTP traces

Closes gh-22829

Author: wilkinsona

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/trace/http/HttpTraceProperties.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,8 +37,7 @@ public class HttpTraceProperties {
 
 	/**
 	 * Items to be included in the trace. Defaults to request headers (excluding
-	 * Authorization but including Cookie), response headers (including Set-Cookie), and
-	 * time taken.
+	 * Authorization and Cookie), response headers (excluding Set-Cookie), and time taken.
 	 */
 	private Set<Include> include = new HashSet<>(Include.defaultIncludes());
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -653,7 +653,6 @@
       "defaultValue": [
         "request-headers",
         "response-headers",
-        "cookies",
         "errors"
       ]
     },

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/trace/http/Include.java

@@ -24,6 +24,8 @@
  * Include options for HTTP tracing.
  *
  * @author Wallace Wadge
+ * @author Emily Tsanova
+ * @author Joseph Beeton
  * @since 2.0.0
  */
 public enum Include {
@@ -55,6 +57,7 @@ public enum Include {
 	PRINCIPAL,
 
 	/**
+	 *
 	 * Include the remote address.
 	 */
 	REMOTE_ADDRESS,
@@ -75,7 +78,6 @@ public enum Include {
 		Set<Include> defaultIncludes = new LinkedHashSet<>();
 		defaultIncludes.add(Include.REQUEST_HEADERS);
 		defaultIncludes.add(Include.RESPONSE_HEADERS);
-		defaultIncludes.add(Include.COOKIE_HEADERS);
 		defaultIncludes.add(Include.TIME_TAKEN);
 		DEFAULT_INCLUDES = Collections.unmodifiableSet(defaultIncludes);
 	}

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/HttpExchangeTracerTests.java

@@ -29,6 +29,7 @@
 
 import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
@@ -270,6 +271,29 @@ void timeTakenCanBeIncluded() {
 		assertThat(trace.getTimeTaken()).isNotNull();
 	}
 
+	@Test
+	void defaultIncludes() {
+		HttpHeaders requestHeaders = new HttpHeaders();
+		requestHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
+		requestHeaders.set(HttpHeaders.COOKIE, "value");
+		requestHeaders.set(HttpHeaders.AUTHORIZATION, "secret");
+		HttpExchangeTracer tracer = new HttpExchangeTracer(Include.defaultIncludes());
+		HttpTrace trace = tracer.receivedRequest(createRequest(requestHeaders));
+		HttpHeaders responseHeaders = new HttpHeaders();
+		responseHeaders.set(HttpHeaders.SET_COOKIE, "test=test");
+		responseHeaders.setContentLength(0);
+		tracer.sendingResponse(trace, createResponse(responseHeaders), this::createPrincipal, () -> "sessionId");
+		assertThat(trace.getTimeTaken()).isNotNull();
+		assertThat(trace.getPrincipal()).isNull();
+		assertThat(trace.getSession()).isNull();
+		assertThat(trace.getTimestamp()).isNotNull();
+		assertThat(trace.getRequest().getMethod()).isEqualTo("GET");
+		assertThat(trace.getRequest().getRemoteAddress()).isNull();
+		assertThat(trace.getResponse().getStatus()).isEqualTo(204);
+		assertThat(trace.getRequest().getHeaders()).containsOnlyKeys(HttpHeaders.ACCEPT);
+		assertThat(trace.getResponse().getHeaders()).containsOnlyKeys(HttpHeaders.CONTENT_LENGTH);
+	}
+
 	private TraceableRequest createRequest() {
 		return createRequest(Collections.singletonMap(HttpHeaders.ACCEPT, Arrays.asList("application/json")));
 	}