我不明白为什么JavaHttpURLConnection
不遵循从 HTTP 到 HTTPS URL 的 HTTP 重定向。我使用以下代码来获取页面https://httpstat.us/ https://httpstat.us/:
import java.net.URL;
import java.net.HttpURLConnection;
import java.io.InputStream;
public class Tester {
public static void main(String argv[]) throws Exception{
InputStream is = null;
try {
String httpUrl = "http://httpstat.us/301";
URL resourceUrl = new URL(httpUrl);
HttpURLConnection conn = (HttpURLConnection)resourceUrl.openConnection();
conn.setConnectTimeout(15000);
conn.setReadTimeout(15000);
conn.connect();
is = conn.getInputStream();
System.out.println("Original URL: "+httpUrl);
System.out.println("Connected to: "+conn.getURL());
System.out.println("HTTP response code received: "+conn.getResponseCode());
System.out.println("HTTP response message received: "+conn.getResponseMessage());
} finally {
if (is != null) is.close();
}
}
}
该程序的输出是:
Original URL: http://httpstat.us/301
Connected to: http://httpstat.us/301
HTTP response code received: 301
HTTP response message received: Moved Permanently
请求http://httpstat.us/301 http://httpstat.us/301返回以下(缩短的)响应(这似乎完全正确!):
HTTP/1.1 301 Moved Permanently
Cache-Control: private
Content-Length: 21
Content-Type: text/plain; charset=utf-8
Location: https://httpstat.us
不幸的是,Java 的HttpURLConnection
不遵循重定向!
请注意,如果将原始 URL 更改为 HTTPS (https://httpstat.us/301 https://httpstat.us/301), Java will按预期遵循重定向!?
仅当它们使用相同的协议时才会遵循重定向。 (看the followRedirect() method https://hg.openjdk.java.net/jdk10/client/file/b1f360639517/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java在源代码中。)没有办法禁用此检查。
尽管我们知道它镜像 HTTP,但从 HTTP 协议的角度来看,HTTPS 只是其他一些完全不同的未知协议。在未经用户批准的情况下遵循重定向是不安全的。
例如,假设应用程序设置为自动执行客户端身份验证。用户希望匿名冲浪,因为他使用的是 HTTP。但是,如果他的客户端在没有询问的情况下遵循 HTTPS,他的身份就会暴露给服务器。
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)