cross protocol redirects ( was:Re: Http client API )
Michael McMahon
michael.x.mcmahon at oracle.com
Tue Aug 14 07:54:25 PDT 2012
On 08/08/12 21:35, Chris Hegarty wrote:
> Great suggestion Anthony,
>
> This is something that comes up from time to time. With the clear
> distinction between java.net.HttpURLConnection and
> javax.net.ssl.HttpsURLConnection API's then it was a little difficult
> to do in the existing API, but there is a clear opportunity with the
> new API to avoid this issue in the future.
>
> Kurchi just informed me (off-list) that the current prototype
> implementation in the java.net project [1], supports cross protocol
> redirects. Though, this may be by accident! We need to do some further
> investigating to determine if the security concerns related to 4620571
> are still valid. If so, and we cannot continue with automatic cross
> protocol redirects, then an explicit API ( like you suggested ) should
> be added.
>
Chris,
That behavior isn't accidental. It's one reason why SSL configuration is
a "property" of HttpClient rather than
defined in a sub-class like HttpsClient.
I agree the security concern needs to be understood (though I'm not sure
I see a problem right now).
The exact behavior of these classes isn't fully defined yet, in the
context of a security manager.
- Michael.
More information about the net-dev
mailing list