cross protocol redirects ( was:Re: Http client API )
Chris Hegarty
chris.hegarty at oracle.com
Wed Aug 8 13:35:12 PDT 2012
Great suggestion Anthony,
This is something that comes up from time to time. With the clear
distinction between java.net.HttpURLConnection and
javax.net.ssl.HttpsURLConnection API's then it was a little difficult to
do in the existing API, but there is a clear opportunity with the new
API to avoid this issue in the future.
Kurchi just informed me (off-list) that the current prototype
implementation in the java.net project [1], supports cross protocol
redirects. Though, this may be by accident! We need to do some further
investigating to determine if the security concerns related to 4620571
are still valid. If so, and we cannot continue with automatic cross
protocol redirects, then an explicit API ( like you suggested ) should
be added.
Thanks,
-Chris.
[1] http://java.net/projects/http-client/
On 08/08/12 19:23, Anthony Vanelverdinghe wrote:
> Hi
>
> With the current API (java.net.HttpURLConnection) it 's not possible to
> follow redirects from one protocol to another (http to https & vice versa).
> This is a known problem (
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571 ), but out of
> security concerns this feature was not added.
>
> Will you please reconsider this feature for the new API and possibly:
> add extra methods:
> HttpRequest#setFollowRedirectsAccrossProtocols(boolean follows) &
> HttpRequest#followRedirectsAcrossProtocols() which would be false by
> default
> or add a system property (like the ones at
> http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html )
> ?
>
> I am not a security expert, but for example Firefox happily follows such
> redirects, even in a single request like: http (request) -> https ->
> http (response)
> The current behavior is also what caused a recent issue with the JavaFX
> installer ( http://javafx-jira.kenai.com/browse/RT-21275 ). The solution
> to this JavaFX issue says the fix "enhanced code to follow https
> redirects." So JavaFX seems to already implement this feature.
>
> Thanks for your feedback
>
> Anthony Vanelverdinghe
>
>
> Op 8/08/2012 1:09, Michael McMahon schreef:
>> Hi,
>>
>> A new revision of the Http client API planned for jdk 8 can be viewed
>> at the following link
>>
>> http://cr.openjdk.java.net/~michaelm/httpclient/v0.3/
>>
>> We would like to review the api on this mailing list.
>> So, all comments are welcome.
>>
>> Thanks
>> Michael McMahon.
>>
>>
>
More information about the net-dev
mailing list