Fixing HttpClient warning "Invalid expires attribute" using fluent API

Question

I'm using the fluent API of HttpClient to make a GET request:

String jsonResult = Request.Get(requestUrl)
            .connectTimeout(2000)
            .socketTimeout(2000)
            .execute().returnContent().asString();

But for each request I get the following warning:

apr 07, 2016 12:26:46 PM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: WMF-Last-Access=07-Apr-2016;Path=/;HttpOnly;Expires=Mon, 09 May 2016 00:00:00 GMT". Invalid 'expires' attribute: Mon, 09 May 2016 00:00:00 GMT

How can I fix this and keep using the fluent interface? Ideally I'd want a proper way to fix it, but since I don't really care about the cookies in my use case any solution that just allows me to stop displaying the warnings (besides redirecting stderr, cause I need that) is welcome.

Answer 1

The default HttpClient has difficulty understanding the latest RFC-compliant headers.

Instead of hiding the warning, just switch to a standard cookie spec like this (HttpClient 4.4+):

HttpClient httpClient = HttpClients.custom()
    .setDefaultRequestConfig(RequestConfig.custom()
        .setCookieSpec(CookieSpecs.STANDARD)
        .build())
    .build();

Answer 2

If you want to use HttpClientBuilder you can use the following sytax:

        HttpClient httpClient = HttpClientBuilder.create()
            .setDefaultRequestConfig(RequestConfig.custom()
                    .setCookieSpec(CookieSpecs.STANDARD).build()).build();

Answer 3

For the developers don't want to think on the object model, wrapping the HttpClient for a RestTemplate might be used as below ( as @comiventor mentioned above especially for Spring Boot Developers).

a Customizer for RestTemplate,

public class RestTemplateStandardCookieCustomizer 
                         implements RestTemplateCustomizer {

    @Override
    public void customize(final RestTemplate restTemplate) {

        final HttpClient httpClient = HttpClients.custom()
            .setDefaultRequestConfig(RequestConfig.custom()
                .setCookieSpec(CookieSpecs.STANDARD).build())
            .build();

        restTemplate.setRequestFactory(
          new HttpComponentsClientHttpRequestFactory(httpClient)
        );
    }
}

and using it with the RestTemplate Builder

var restTemplate = restTemplateBuilder.additionalCustomizers(
            new RestTemplateStandardCookieCustomizer()
        ).build();

Answer 4

Solved with:

System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.client.protocol.ResponseProcessCookies", "fatal");

Answer 5

This answer is not directly related to the OP, but to help those looking for a solution to the problem. This is the first result on Google when searching Invalid expires attribute.

I am using Resteasy as a transitive dependency of Keycloak Admin REST Client.

The problem is resteasy-client does not provide an easy way to configure the Apache HttpClient HttpClient#RequestConfig#CookieSpec. See the default ClientHttpEngineBuilder used by resteasy-client ClientHttpEngineBuilder43.

To fix it, since the ClientHttpEngineBuilder43#createEngine method is protected, I have extended the class and specified the suggested CookieSpecs.STANDARD:

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;

import org.apache.http.HttpHost;
import org.apache.http.client.config.CookieSpecs;
import org.apache.http.client.config.RequestConfig.Builder;
import org.apache.http.conn.HttpClientConnectionManager;
import org.jboss.resteasy.client.jaxrs.ClientHttpEngine;
import org.jboss.resteasy.client.jaxrs.ClientHttpEngineBuilder43;

public class StandardCookieSpecClientHttpEngineBuilder extends ClientHttpEngineBuilder43 {

  @Override
  protected ClientHttpEngine createEngine(
      HttpClientConnectionManager cm,
      Builder rcBuilder,
      HttpHost defaultProxy,
      int responseBufferSize,
      HostnameVerifier verifier,
      SSLContext context) {
    // CookieSpecs.DEFAULT does not handle the latest RFC correctly
    // <https://stackoverflow.com/a/40697322/13688761>
    rcBuilder.setCookieSpec(CookieSpecs.STANDARD);
    return super.createEngine(cm, rcBuilder, defaultProxy, responseBufferSize, verifier, context);
  }
}

Then, the corresponding ResteasyClient and Keycloak are built as:

import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class KeycloakConfig {

  @Bean
  public Keycloak keycloak() {
    return KeycloakBuilder.builder()
        // ... Some other configuration to the builder
        .resteasyClient(buildResteasyClient())
        .build();
  }

  private ResteasyClient buildResteasyClient() {
    ResteasyClientBuilder resteasyClientBuilder = new ResteasyClientBuilder();
    // ... Some other configuration to the client builder
    return resteasyClientBuilder
        .httpEngine(
            new StandardCookieSpecClientHttpEngineBuilder()
                .resteasyClientBuilder(resteasyClientBuilder)
                .build())
        .build();
  }
}

Answer 6

Apache HttpClient 5.1.3 is fully compliant with RFC 6265 by default. Hence the following code doesn't produce any warnings anymore:

import org.apache.hc.client5.http.classic.methods.HttpGet;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
import org.apache.hc.client5.http.impl.classic.HttpClients;

//...

try (CloseableHttpClient httpclient = HttpClients.createDefault()) {
    HttpGet httpGet = new HttpGet(url);
    try (CloseableHttpResponse response = httpclient.execute(httpGet)) {
        System.out.println(response.getCode() + " " + response.getReasonPhrase());
    }
}