HTTPURLConnection 不遵循从 HTTP 到 HTTPS 的重定向
我不明白为什么 Java 的 HttpURLConnection 不遵循从 HTTP 到 HTTPS URL 的 HTTP 重定向。我使用以下代码获取 https://httpstat.us/ 处的页面:
import java.net.URL;
import java.net.HttpURLConnection;
import java.io.InputStream;
public class Tester {
public static void main(String argv[]) throws Exception{
InputStream is = null;
try {
String httpUrl = "http://httpstat.us/301";
URL resourceUrl = new URL(httpUrl);
HttpURLConnection conn = (HttpURLConnection)resourceUrl.openConnection();
conn.setConnectTimeout(15000);
conn.setReadTimeout(15000);
conn.connect();
is = conn.getInputStream();
System.out.println("Original URL: "+httpUrl);
System.out.println("Connected to: "+conn.getURL());
System.out.println("HTTP response code received: "+conn.getResponseCode());
System.out.println("HTTP response message received: "+conn.getResponseMessage());
} finally {
if (is != null) is.close();
}
}
}
该程序的输出是:
Original URL: http://httpstat.us/301 Connected to: http://httpstat.us/301 HTTP response code received: 301 HTTP response message received: Moved Permanently
对 http://httpstat.us/301 的请求返回以下(缩短的)响应(这看起来绝对正确! ):
HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 21
Content-Type: text/plain; charset=utf-8
Location: https://httpstat.us
不幸的是,Java 的 HttpURLConnection 不遵循重定向!
请注意,如果将原始 URL 更改为 HTTPS (https://httpstat.us/301),Java 将按预期遵循重定向!?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
仅当它们使用相同的协议时才会遵循重定向。 (参见源代码中的
followRedirect()方法。)无法禁用此检查。尽管我们知道它镜像 HTTP,但从 HTTP 协议的角度来看,HTTPS 只是其他一些完全不同的未知协议。在未经用户批准的情况下遵循重定向是不安全的。
例如,假设应用程序设置为自动执行客户端身份验证。用户希望匿名冲浪,因为他使用的是 HTTP。但是,如果他的客户端在没有询问的情况下遵循 HTTPS,他的身份就会暴露给服务器。
Redirects are followed only if they use the same protocol. (See the
followRedirect()method in the source.) There is no way to disable this check.Even though we know it mirrors HTTP, from the HTTP protocol point of view, HTTPS is just some other, completely different, unknown protocol. It would be unsafe to follow the redirect without user approval.
For example, suppose the application is set up to perform client authentication automatically. The user expects to be surfing anonymously because he's using HTTP. But if his client follows HTTPS without asking, his identity is revealed to the server.
HttpURLConnection 通过 设计不会自动从 HTTP 重定向到 HTTPS(反之亦然)。遵循重定向可能会产生严重的安全后果。 SSL(因此是 HTTPS)创建用户独有的会话。该会话可以重复用于多个请求。因此,服务器可以跟踪单个人发出的所有请求。这是一种弱身份形式,可以被利用。此外,SSL 握手可以请求客户端的证书。如果发送到服务器,则客户端的身份将被提供给服务器。
正如 erickson 指出的那样,假设应用程序设置为自动执行客户端身份验证。用户希望匿名冲浪,因为他使用的是 HTTP。但是,如果他的客户端在没有询问的情况下遵循 HTTPS,他的身份就会暴露给服务器。
程序员必须采取额外的步骤来确保在从 HTTP 重定向到 HTTPS 之前不会发送凭据、客户端证书或 SSL 会话 ID。默认是发送这些。如果重定向伤害了用户,请不要遵循重定向。这就是不支持自动重定向的原因。
了解了这一点后,下面是遵循重定向的代码。
HttpURLConnection by design won't automatically redirect from HTTP to HTTPS (or vice versa). Following the redirect may have serious security consequences. SSL (hence HTTPS) creates a session that is unique to the user. This session can be reused for multiple requests. Thus, the server can track all of the requests made from a single person. This is a weak form of identity and is exploitable. Also, the SSL handshake can ask for the client's certificate. If sent to the server, then the client's identity is given to the server.
As erickson points out, suppose the application is set up to perform client authentication automatically. The user expects to be surfing anonymously because he's using HTTP. But if his client follows HTTPS without asking, his identity is revealed to the server.
The programmer has to take extra steps to ensure that credentials, client certificates or SSL session id will not be sent before redirecting from HTTP to HTTPS. The default is to send these. If the redirection hurts the user, do not follow the redirection. This is why automatic redirect is not supported.
With that understood, here's the code which will follow the redirects.
正如上面提到的, setFollowRedirect 和 setInstanceFollowRedirects 仅当重定向协议相同时才会自动工作。即从 http 到 http 和 https 到 https。
setFolloRedirect 位于类级别,并为 url 连接的所有实例设置此项,而 setInstanceFollowRedirects 仅针对给定实例。这样我们就可以针对不同的实例有不同的行为。
我在这里找到了一个非常好的例子 http://www.mkyong.com /java/java-httpurlconnection-follow-redirect-example/
As mentioned by some of you above, the setFollowRedirect and setInstanceFollowRedirects only work automatically when the redirected protocol is same . ie from http to http and https to https.
setFolloRedirect is at class level and sets this for all instances of the url connection, whereas setInstanceFollowRedirects is only for a given instance. This way we can have different behavior for different instances.
I found a very good example here http://www.mkyong.com/java/java-httpurlconnection-follow-redirect-example/
另一种选择是使用 Apache HttpComponents Client:
示例代码:
Another option can be to use Apache HttpComponents Client:
Sample code:
HTTPUrlConnection 不负责处理对象的响应。它的性能符合预期,它抓取了所请求的 URL 的内容。由您(该功能的用户)来解释响应。如果没有规范,它无法读取开发者的意图。
HTTPUrlConnection is not responsible for handling the response of the object. It is performance as expected, it grabs the content of the URL requested. It is up to you the user of the functionality to interpret the response. It is not able to read the intentions of the developer without specification.