Polish "Exclude cookie headers by default from HTTP traces"

See gh-22829

Author: wilkinsona

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/trace/http/HttpTraceProperties.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,8 +37,7 @@ public class HttpTraceProperties {
 
 	/**
 	 * Items to be included in the trace. Defaults to request headers (excluding
-	 * Authorization but including Cookie), response headers (including Set-Cookie), and
-	 * time taken.
+	 * Authorization and Cookie), response headers (excluding Set-Cookie), and time taken.
 	 */
 	private Set<Include> include = new HashSet<>(Include.defaultIncludes());
 

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/trace/http/HttpExchangeTracerTests.java

@@ -29,6 +29,7 @@
 
 import org.springframework.boot.actuate.trace.http.HttpTrace.Request;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
@@ -270,6 +271,29 @@ void timeTakenCanBeIncluded() {
 		assertThat(trace.getTimeTaken()).isNotNull();
 	}
 
+	@Test
+	void defaultIncludes() {
+		HttpHeaders requestHeaders = new HttpHeaders();
+		requestHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
+		requestHeaders.set(HttpHeaders.COOKIE, "value");
+		requestHeaders.set(HttpHeaders.AUTHORIZATION, "secret");
+		HttpExchangeTracer tracer = new HttpExchangeTracer(Include.defaultIncludes());
+		HttpTrace trace = tracer.receivedRequest(createRequest(requestHeaders));
+		HttpHeaders responseHeaders = new HttpHeaders();
+		responseHeaders.set(HttpHeaders.SET_COOKIE, "test=test");
+		responseHeaders.setContentLength(0);
+		tracer.sendingResponse(trace, createResponse(responseHeaders), this::createPrincipal, () -> "sessionId");
+		assertThat(trace.getTimeTaken()).isNotNull();
+		assertThat(trace.getPrincipal()).isNull();
+		assertThat(trace.getSession()).isNull();
+		assertThat(trace.getTimestamp()).isNotNull();
+		assertThat(trace.getRequest().getMethod()).isEqualTo("GET");
+		assertThat(trace.getRequest().getRemoteAddress()).isNull();
+		assertThat(trace.getResponse().getStatus()).isEqualTo(204);
+		assertThat(trace.getRequest().getHeaders()).containsOnlyKeys(HttpHeaders.ACCEPT);
+		assertThat(trace.getResponse().getHeaders()).containsOnlyKeys(HttpHeaders.CONTENT_LENGTH);
+	}
+
 	private TraceableRequest createRequest() {
 		return createRequest(Collections.singletonMap(HttpHeaders.ACCEPT, Arrays.asList("application/json")));
 	}