Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTPURLConnection Doesn't Follow Redirect from HTTP to HTTPS

I can't understand why Java's HttpURLConnection does not follow an HTTP redirect from an HTTP to an HTTPS URL. I use the following code to get the page at https://httpstat.us/:

import java.net.URL; import java.net.HttpURLConnection; import java.io.InputStream;  public class Tester {      public static void main(String argv[]) throws Exception{         InputStream is = null;          try {             String httpUrl = "http://httpstat.us/301";             URL resourceUrl = new URL(httpUrl);             HttpURLConnection conn = (HttpURLConnection)resourceUrl.openConnection();             conn.setConnectTimeout(15000);             conn.setReadTimeout(15000);             conn.connect();             is = conn.getInputStream();             System.out.println("Original URL: "+httpUrl);             System.out.println("Connected to: "+conn.getURL());             System.out.println("HTTP response code received: "+conn.getResponseCode());             System.out.println("HTTP response message received: "+conn.getResponseMessage());        } finally {             if (is != null) is.close();         }     } } 

The output of this program is:

 Original URL: http://httpstat.us/301 Connected to: http://httpstat.us/301 HTTP response code received: 301 HTTP response message received: Moved Permanently 

A request to http://httpstat.us/301 returns the following (shortened) response (which seems absolutely right!):

HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 21 Content-Type: text/plain; charset=utf-8 Location: https://httpstat.us 

Unfortunately, Java's HttpURLConnection does not follow the redirect!

Note that if you change the original URL to HTTPS (https://httpstat.us/301), Java will follow the redirect as expected!?

like image 458
Shcheklein Avatar asked Dec 10 '09 21:12

Shcheklein


People also ask

How do I follow a redirect in Java?

Java Http Redirect ExampleIf a server is redirected from the original URL to another URL, the response code should be 301: Moved Permanently or 302: Temporary Redirect. And you can get the new redirected url by reading the “Location” header of the HTTP response header.

What is the difference between URLConnection and HttpURLConnection?

URLConnection is the base class. HttpURLConnection is a derived class which you can use when you need the extra API and you are dealing with HTTP or HTTPS only. HttpsURLConnection is a 'more derived' class which you can use when you need the 'more extra' API and you are dealing with HTTPS only.

Which is the following used in HttpURLConnection?

HttpURLConnection uses the GET method by default. It will use POST if setDoOutput(true) has been called. Other HTTP methods ( OPTIONS , HEAD , PUT , DELETE and TRACE ) can be used with setRequestMethod(String) .

Which method of HttpURLConnection class is used to retrieve the response status from server?

Call setRequestProperty() method on HttpURLConnection instance to set request header values, such as “User-Agent” and “Accept-Language” etc. We can call getResponseCode() to get the response HTTP code.


1 Answers

Redirects are followed only if they use the same protocol. (See the followRedirect() method in the source.) There is no way to disable this check.

Even though we know it mirrors HTTP, from the HTTP protocol point of view, HTTPS is just some other, completely different, unknown protocol. It would be unsafe to follow the redirect without user approval.

For example, suppose the application is set up to perform client authentication automatically. The user expects to be surfing anonymously because he's using HTTP. But if his client follows HTTPS without asking, his identity is revealed to the server.

like image 165
erickson Avatar answered Sep 22 '22 21:09

erickson