HTTPURLConnection不跟随从HTTP重定向到HTTPS [英] HTTPURLConnection Doesn't Follow Redirect from HTTP to HTTPS

问题描述

我不明白为什么Java的HttpURLConnection不遵循从HTTP到HTTPS URL的HTTP重定向.我使用以下代码在 https://httpstat.us/处获取页面:

I can't understand why Java's HttpURLConnection does not follow an HTTP redirect from an HTTP to an HTTPS URL. I use the following code to get the page at https://httpstat.us/:

import java.net.URL;
import java.net.HttpURLConnection;
import java.io.InputStream;

public class Tester {

    public static void main(String argv[]) throws Exception{
        InputStream is = null;

        try {
            String httpUrl = "http://httpstat.us/301";
            URL resourceUrl = new URL(httpUrl);
            HttpURLConnection conn = (HttpURLConnection)resourceUrl.openConnection();
            conn.setConnectTimeout(15000);
            conn.setReadTimeout(15000);
            conn.connect();
            is = conn.getInputStream();
            System.out.println("Original URL: "+httpUrl);
            System.out.println("Connected to: "+conn.getURL());
            System.out.println("HTTP response code received: "+conn.getResponseCode());
            System.out.println("HTTP response message received: "+conn.getResponseMessage());
       } finally {
            if (is != null) is.close();
        }
    }
}

该程序的输出为:

Original URL: http://httpstat.us/301
Connected to: http://httpstat.us/301
HTTP response code received: 301
HTTP response message received: Moved Permanently

对 http://httpstat.us/301 的请求返回以下(缩短的)响应(似乎绝对正确！):

A request to http://httpstat.us/301 returns the following (shortened) response (which seems absolutely right!):

HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 21
Content-Type: text/plain; charset=utf-8
Location: https://httpstat.us

不幸的是，Java的HttpURLConnection没有遵循重定向！

Unfortunately, Java's HttpURLConnection does not follow the redirect!

请注意，如果您将原始URL更改为HTTPS( https://httpstat.us/301 ) ，Java 将按照预期进行重定向！?

Note that if you change the original URL to HTTPS (https://httpstat.us/301), Java will follow the redirect as expected!?

推荐答案

仅当重定向使用相同的协议时，才遵循重定向. (请参见源代码中的followRedirect()方法.)无法禁用此检查.

Redirects are followed only if they use the same protocol. (See the followRedirect() method in the source.) There is no way to disable this check.

即使我们知道它是HTTP的镜像，但从HTTP协议的角度来看，HTTPS还是其他完全不同的未知协议.未经用户批准而进行重定向将是不安全的.

Even though we know it mirrors HTTP, from the HTTP protocol point of view, HTTPS is just some other, completely different, unknown protocol. It would be unsafe to follow the redirect without user approval.

例如，假设将应用程序设置为自动执行客户端身份验证.用户期望使用匿名登录，因为他正在使用HTTP.但是，如果他的客户不经询问就遵循HTTPS，他的身份就会显示给服务器.

For example, suppose the application is set up to perform client authentication automatically. The user expects to be surfing anonymously because he's using HTTP. But if his client follows HTTPS without asking, his identity is revealed to the server.

这篇关于HTTPURLConnection不跟随从HTTP重定向到HTTPS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！