java.net.http.HttpClient Redirect Policy

[Elliot Barlas]

Net-dev, I'm attempting to use java.net.http.HttpClient to make a login form submission and follow a sequence of redirects. To my surprise, the HttpClient redirect internals (jdk.internal.net.http.HttpRequestImpl) seem to carry the original request body into subsequent requests. In my case, that means sending user credentials (gasp!) to the target of a redirect. Additionally, GET requests with bodies are rejected outright by the target system.

Why is HttpClient behaving this way? Browsers certainly doin't do this. Am I missing a config option?

-----

HttpClient client = HttpClient.newBuilder()
        .version(HttpClient.Version.HTTP_1_1)
        .connectTimeout(Duration.ofSeconds(5))
        .cookieHandler(new CookieManager())
        .followRedirects(HttpClient.Redirect.ALWAYS)
        .build();

String url = "...";

Map<String, String> body = Map.of(
        "emailAddress", "...",
        "password", "...");

String encoded = body.entrySet().stream()
        .map(e -> e.getKey() + "=" + UrlEncoded.encodeString(e.getValue(), StandardCharsets.UTF_8))
        .collect(Collectors.joining("&"));

HttpRequest request = HttpRequest.newBuilder()
        .timeout(Duration.ofSeconds(5))
        .uri(URI.create(url))
        .header("User-Agent", "...")
        .header("Content-Type", "application/x-www-form-urlencoded")
        .POST(HttpRequest.BodyPublishers.ofString(encoded))
        .build();

HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.statusCode());
System.out.println(response.headers());
System.out.println(response.body());
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/net-dev/attachments/20191004/e9aadc51/attachment.html>