Http client API
Anthony Vanelverdinghe
anthony.vanelverdinghe at gmail.com
Wed Aug 8 11:23:31 PDT 2012
Hi
With the current API (java.net.HttpURLConnection) it 's not possible to
follow redirects from one protocol to another (http to https & vice versa).
This is a known problem (
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571 ), but out of
security concerns this feature was not added.
Will you please reconsider this feature for the new API and possibly:
add extra methods:
HttpRequest#setFollowRedirectsAccrossProtocols(boolean follows) &
HttpRequest#followRedirectsAcrossProtocols() which would be false by default
or add a system property (like the ones at
http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html )
?
I am not a security expert, but for example Firefox happily follows such
redirects, even in a single request like: http (request) -> https ->
http (response)
The current behavior is also what caused a recent issue with the JavaFX
installer ( http://javafx-jira.kenai.com/browse/RT-21275 ). The solution
to this JavaFX issue says the fix "enhanced code to follow https
redirects." So JavaFX seems to already implement this feature.
Thanks for your feedback
Anthony Vanelverdinghe
Op 8/08/2012 1:09, Michael McMahon schreef:
> Hi,
>
> A new revision of the Http client API planned for jdk 8 can be viewed
> at the following link
>
> http://cr.openjdk.java.net/~michaelm/httpclient/v0.3/
>
> We would like to review the api on this mailing list.
> So, all comments are welcome.
>
> Thanks
> Michael McMahon.
>
>
More information about the net-dev
mailing list