Fix #28038: Reject multiple Authorization headers with 400 Bad Request

[kavix]

This PR fixes wso2/product-is#28038 by rejecting incoming HTTP requests containing more than one Authorization header with a 400 Bad Request response code. This ensures compliance with RFC 9110 §11.6.1 and prevents potential security validation bypasses.

[coderabbitai]

Warning

Review limit reached

@kavix, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 23 minutes and 57 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4d94a20f-02f4-4c29-b73b-119b89943952

📥 Commits

Reviewing files that changed from the base of the PR and between c15af38 and 131cc5f.

📒 Files selected for processing (2)

• components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValve.java
• components/identity-core/org.wso2.carbon.identity.core/src/test/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValveTest.java

📝 Walkthrough

Walkthrough

IdentityContextCreatorValve.invoke is extended to enumerate Authorization request headers and, if more than one is present, immediately send a 400 Bad Request response and return, skipping identity context initialization and the rest of the valve chain. A test class validates this rejection behavior with mocked dependencies, and Tomcat test libraries are added to support the test execution.

Changes

Duplicate Authorization Header Rejection

Layer / File(s)	Summary
Valve Authorization header validation components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValve.java	Adds Enumeration and HttpServletResponse imports; introduces header-counting logic at the top of invoke() that enumerates all Authorization header values, sends 400 Bad Request and exits early when count exceeds one.
Test coverage and dependencies components/identity-core/org.wso2.carbon.identity.core/src/test/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValveTest.java, components/identity-core/org.wso2.carbon.identity.core/pom.xml	New IdentityContextCreatorValveTest class sets up mocked valve dependencies with setUp and tearDown lifecycle methods; defines testInvokeWithMultipleAuthorizationHeaders that verifies invoke rejects multiple-header requests via sendError(SC_BAD_REQUEST) and never invokes the downstream valve. Test-scoped Tomcat dependencies (tomcat-coyote and tomcat-util) are added to the pom.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and lacks required sections from the template such as Goals, Approach, Release notes, Documentation, Automation tests, and Security checks.	Complete the PR description by filling in the template sections, particularly specifying test coverage, security validation steps, and documentation impact.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: rejecting multiple Authorization headers with a 400 Bad Request response, directly addressing issue #28038.
Linked Issues check	✅ Passed	The code changes successfully implement the requirement from issue #28038: validating and rejecting requests with multiple Authorization headers by returning HTTP 400, with corresponding unit test coverage.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue #28038: the valve modification, unit tests, and Maven dependency additions support the multiple Authorization header validation requirement.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValve.java`:
- Around line 52-60: The code in IdentityContextCreatorValve detects multiple
Authorization headers and sends a 400 error response via sendError, but this
security-relevant path has no logging. Add a WARN or DEBUG level log message
before the sendError call (which occurs when authHeaderCount > 1) to signal that
multiple Authorization headers were detected. The log message should be generic,
such as "multiple Authorization headers detected", and must not include the
actual header values, exceptions, or stack traces to avoid logging sensitive
information.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 7e39fee8-ef4a-4db5-8303-998b65ee3b5b

📥 Commits

Reviewing files that changed from the base of the PR and between 236afb0 and 543c6b6.

📒 Files selected for processing (1)

• components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValve.java

[kavix]

Hi @pavinduLakshan,
I've submitted a fix for this issue and would appreciate it if you could review my code when you have a moment.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValve.java`:
- Around line 61-64: The early return statement in the multiple Authorization
headers check (when authHeaderCount > 1) bypasses the identity context cleanup
code that should execute on every request path. Move the duplicate header
validation logic inside the try block or restructure the code so that the
identity context cleanup at line 79 (in the finally block) is guaranteed to
execute even when rejecting requests with multiple Authorization headers. This
ensures thread-local identity context is properly cleared regardless of whether
the request is rejected due to duplicate headers or completes normally.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 03b9adb5-ac36-48ec-b3eb-2eae59b3a8e9

📥 Commits

Reviewing files that changed from the base of the PR and between d387af4 and c15af38.

📒 Files selected for processing (1)

• components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/context/valve/IdentityContextCreatorValve.java

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud