Java HTTPURLConnection不跟随从HTTP重定向到HTTPS

我不明白为什么Java HttpURLConnection不遵循从HTTP到HTTPS URL的HTTP重定向。我使用以下代码在https://httpstat.us/上获取页面:

import java.net.URL;

import java.net.HttpURLConnection;

import java.io.InputStream;

public class Tester {

public static void main(String argv[]) throws Exception{

InputStream is = null;

try {

String httpUrl = "http://httpstat.us/301";

URL resourceUrl = new URL(httpUrl);

HttpURLConnection conn = (HttpURLConnection)resourceUrl.openConnection();

conn.setConnectTimeout(15000);

conn.setReadTimeout(15000);

conn.connect();

is = conn.getInputStream();

System.out.println("Original URL: "+httpUrl);

System.out.println("Connected to: "+conn.getURL());

System.out.println("HTTP response code received: "+conn.getResponseCode());

System.out.println("HTTP response message received: "+conn.getResponseMessage());

} finally {

if (is != null) is.close();

}

}

}

该程序的输出为:

Original URL: http://httpstat.us/301

Connected to: http://httpstat.us/301

HTTP response code received: 301

HTTP response message received: Moved Permanently

对http://httpstat.us/301的请求返回以下(缩短的)响应(这似乎绝对正确!):

HTTP/1.1 301 Moved Permanently

Cache-Control: private

Content-Length: 21

Content-Type: text/plain; charset=utf-8

Location: https://httpstat.us

不幸的是,Java HttpURLConnection不遵循重定向!

回答:

仅当重定向使用相同的协议时,才遵循重定向。(请参见源代码中的followRedirect()方法。)无法禁用此检查。

即使我们知道它是HTTP的镜像,但从HTTP协议的角度来看,HTTPS还是其他完全不同的未知协议。未经用户批准而进行重定向是不安全的。

例如,假设将应用程序设置为自动执行客户端身份验证。用户期望匿名访问,因为他正在使用HTTP。但是,如果他的客户不经询问就遵循HTTPS,则他的身份将显示给服务器。

以上是 Java HTTPURLConnection不跟随从HTTP重定向到HTTPS 的全部内容, 来源链接: utcz.com/qa/431792.html

回到顶部