Overcoming JVM Restrictions to Set the Origin Header in HTTP Requests
When integrating with a gateway that enforces HTTPS and requires the Origin header, standard HTTP client libraries may fail to set certain headers due to JVM security restrictions. The Origin and Host headers are among those restricted by default to prevent potential security vulnerabilities.
A common initial approach is to configure the JVM to allow these restricted headers. This can be attempted via system property settings:
1. Programmatic Setting in Main Class:
public class ApplicationMain {
public static void main(String[] args) {
System.setProperty("sun.net.http.allowRestrictedHeaders", "true");
// ... rest of application startup
}
}
2. JVM Startup Argument:
java -Dsun.net.http.allowRestrictedHeaders=true -jar yourapp.jar
3. Maven Surefire Plugin Configuration (for tests):
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.17</version>
<configuration>
<systemPropertyVariables>
<sun.net.http.allowRestrictedHeaders>true</sun.net.http.allowRestrictedHeaders>
</systemPropertyVariables>
</configuration>
</plugin>
In many cases, especially with newer JDK versions or specific HTTP client implementations, these property-based solutions may not work as the underlying network stack ignores them.
An alternative is to use an HTTP client that provides lower-level control over the connection. For instance, when using Apache HttpClient, you can create a custom connection manager that bypasses hostname verification for SSL (note: this compromises security and should only be used in controlled environments).
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import javax.net.ssl.SSLContext;
public class PermissiveHttpClientFactory {
public static CloseableHttpClient createClient() throws Exception {
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial(null, new TrustSelfSignedStrategy())
.build();
SSLConnectionSocketFactory socketFactory =
new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
return HttpClients.custom()
.setSSLSocketFactory(socketFactory)
.build();
}
}
To send a request with a custom Origin header using this client:
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.util.EntityUtils;
CloseableHttpClient client = PermissiveHttpClientFactory.createClient();
HttpGet request = new HttpGet("https://api-gateway.example.com/endpoint");
request.setHeader("Origin", "https://allowed-origin.example.com");
request.setHeader("Accept", "application/json");
CloseableHttpResponse response = client.execute(request);
String responseBody = EntityUtils.toString(response.getEntity());
When the standard JVM property does not work, the most reliable method is to use an HTTP client library that does not rely on the java.net.HttpURLConnection implementation, such as Apache HttpClient, OkHttp, or the reactive WebClient from Spring. These libraries typically manage their own connection logic and are not subject to the same restricted header limitations.
