Fix HTTPCLIENT-2354 by updating ResponseCachingPolicy to allow caching of responses with "must-revalidate, max-age=0" in shared caches with Authorization headers. The change aligns with RFC 9111 Section 5.2.2.2, ensuring responses with "must-revalidate," "s-maxage," or "public" directives are cacheable. This addresses cases where responses with Authorization headers were unnecessarily excluded from caching. (#609)

arturobernalg · arturobernalg · commit d048550b2508 · 2025-01-09T19:22:07.000+01:00
(cherry picked from commit 8b1ee82)
diff --git a/httpclient5-cache/src/main/java/org/apache/hc/client5/http/impl/cache/ResponseCachingPolicy.java b/httpclient5-cache/src/main/java/org/apache/hc/client5/http/impl/cache/ResponseCachingPolicy.java
@@ -145,7 +145,7 @@ public boolean isResponseCacheable(final ResponseCacheControl cacheControl, fina
         if (sharedCache) {
             if (request.containsHeader(HttpHeaders.AUTHORIZATION) &&
                     cacheControl.getSharedMaxAge() == -1 &&
-                    !cacheControl.isPublic()) {
+                    !(cacheControl.isPublic() || cacheControl.isMustRevalidate())) {
                 LOG.debug("Request contains private credentials");
                 return false;
             }
diff --git a/httpclient5-cache/src/test/java/org/apache/hc/client5/http/impl/cache/TestResponseCachingPolicy.java b/httpclient5-cache/src/test/java/org/apache/hc/client5/http/impl/cache/TestResponseCachingPolicy.java
@@ -944,4 +944,60 @@ void testImmutableAndFreshResponseIsCacheable() {
 
         Assertions.assertTrue(policy.isResponseCacheable(responseCacheControl, request, response));
     }
+
+    @Test
+    void testPublicWithAuthorizationIsCacheable() {
+        request = new BasicHttpRequest("GET", "/resource");
+        request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q=");
+        response.setHeader("Cache-Control", "public");
+        responseCacheControl = ResponseCacheControl.builder()
+                .setCachePublic(true)
+                .build();
+
+        final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response);
+        Assertions.assertTrue(isCacheable,
+                "Response with public directive and Authorization header should be cacheable in shared cache.");
+    }
+
+    @Test
+    void testSMaxageWithAuthorizationIsCacheable() {
+        request = new BasicHttpRequest("GET", "/resource");
+        request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q=");
+        response.setHeader("Cache-Control", "s-maxage=60");
+        responseCacheControl = ResponseCacheControl.builder()
+                .setSharedMaxAge(60)
+                .build();
+
+        final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response);
+        Assertions.assertTrue(isCacheable,
+                "Response with s-maxage and Authorization header should be cacheable in shared cache.");
+    }
+
+    @Test
+    void testNoDirectivesWithAuthorizationNotCacheable() {
+        request = new BasicHttpRequest("GET", "/resource");
+        request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q=");
+        response.setHeader("Cache-Control", "");
+        responseCacheControl = ResponseCacheControl.builder()
+                .build();
+
+        final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response);
+        Assertions.assertFalse(isCacheable,
+                "Response without must-revalidate, public, or s-maxage should not be cacheable with Authorization header.");
+    }
+
+    @Test
+    void testMustRevalidateWithAuthorizationIsCacheable() {
+        request = new BasicHttpRequest("GET", "/resource");
+        request.setHeader(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd2Q=");
+        response.setHeader("Cache-Control", "must-revalidate");
+        responseCacheControl = ResponseCacheControl.builder()
+                .setMustRevalidate(true)
+                .build();
+
+        final boolean isCacheable = policy.isResponseCacheable(responseCacheControl, request, response);
+        Assertions.assertTrue(isCacheable,
+                "Response with must-revalidate and Authorization header should be cacheable in shared cache.");
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ public boolean isResponseCacheable(final ResponseCacheControl cacheControl, fina`
`145`	`145`	`if (sharedCache) {`
`146`	`146`	`if (request.containsHeader(HttpHeaders.AUTHORIZATION) &&`
`147`	`147`	`cacheControl.getSharedMaxAge() == -1 &&`
`148`		`- !cacheControl.isPublic()) {`
	`148`	`+ !(cacheControl.isPublic() \|\| cacheControl.isMustRevalidate())) {`
`149`	`149`	`LOG.debug("Request contains private credentials");`
`150`	`150`	`return false;`
`151`	`151`	`}`