Skip to content

Make Jetty HTTP client compliance configurable via system property#724

Merged
acetousk merged 1 commit into
moqui:masterfrom
dixitdeepak:BAD_QUOTES_IN_TOKEN_rest_client
Jun 24, 2026
Merged

Make Jetty HTTP client compliance configurable via system property#724
acetousk merged 1 commit into
moqui:masterfrom
dixitdeepak:BAD_QUOTES_IN_TOKEN_rest_client

Conversation

@dixitdeepak

@dixitdeepak dixitdeepak commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Jetty 12's HttpClient defaults to HttpCompliance.RFC9110, which strictly
rejects response headers containing quoted characters in token positions
(BAD_QUOTES_IN_TOKEN). Some external APIs such as Shopify return Set-Cookie
response headers that violate this rule, causing RestClient to throw a
BaseException and fail the request even though credentials and payload are valid.

Added support for a JVM system property moqui.http.client.compliance that
is read once when SimpleRequestFactory initializes the shared HttpClient.
When set, the specified compliance mode is applied to the HttpClient before
it starts, making the behavior configurable without code changes.

To allow BAD_QUOTES_IN_TOKEN violations (e.g. for Shopify):
-Dmoqui.http.client.compliance=RFC7230

Valid values: RFC9110 (Jetty default), RFC7230, RFC2616, RFC2616_LEGACY,
LEGACY, STRICT

  Jetty 12's HttpClient defaults to HttpCompliance.RFC9110, which strictly
  rejects response headers containing quoted characters in token positions
  (BAD_QUOTES_IN_TOKEN). Some external APIs such as Shopify return Set-Cookie
  response headers that violate this rule, causing RestClient to throw a
  BaseException and fail the request even though credentials and payload are valid.

  Added support for a JVM system property moqui.http.client.compliance that
  is read once when SimpleRequestFactory initializes the shared HttpClient.
  When set, the specified compliance mode is applied to the HttpClient before
  it starts, making the behavior configurable without code changes.

  To allow BAD_QUOTES_IN_TOKEN violations (e.g. for Shopify):
    -Dmoqui.http.client.compliance=RFC7230

  Valid values: RFC9110 (Jetty default), RFC7230, RFC2616, RFC2616_LEGACY,
  LEGACY, STRICT

  Also improved callInternal() error logging to surface the root cause of
  HTTP transport failures directly in the log.
@acetousk acetousk merged commit 9bff0ea into moqui:master Jun 24, 2026
1 check passed
@dixitdeepak dixitdeepak deleted the BAD_QUOTES_IN_TOKEN_rest_client branch June 24, 2026 04:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants