article-17.txt

java语言规范

Redirection between HTTP URL and HTTPS URL is not followed.

Symptoms

When running applet in browser using Sun JVM, if the applet
makes HTTP
requests to a server which redirects to a HTTPS URL, the
redirection
would fail. It fails also in the case of making HTTPS requested
to a
server which redirects to a HTTP URL.

The same applet runs properly in Microsoft VM.


Cause

The issue is caused by the HTTP/HTTPS redirection policy
implemented in
Sun JVM; because of serious security consequences, redirection
between
HTTP and HTTPS is not automatically followed.

HTTP/HTTPS redirection is followed in MSVM, given a security
warning
dialog prompts the users everytime before the redirection is
followed.


Resolution

To workaround the problem, it is the application responsibility
to check
the response code and recognize it as a redirect. The Location
header
field value can be checked for the redirect information, and
then the
application must decide whether or not to follow the redirect
using the
new protocol. For example,

public void makeConnection(URL url)
{
    URLConnection conn = url.openConnection();
    InputStream is = conn.getInputStream();
    ....        
    is.close();
}


The code should be changed to
                
private InputStream openConnectionCheckRedirects(URLConnection
c)
        
                  throws IOException
    
{
        
    boolean redir;
        
    int redirects = 0;
        
    InputStream in = null;

        

    do 
    {
            
        if (c instanceof HttpURLConnection) {
                
            ((HttpURLConnection)
c).setInstanceFollowRedirects(false);
        }
 
            

        // We want to open the input stream before
            
        // getting headers, because getHeaderField()
            
        // et al swallow IOExceptions.
            
        in = c.getInputStream();
            
        redir = false;
 
            
        
        if (c instanceof HttpURLConnection) {
                
            HttpURLConnection http = (HttpURLConnection) c;
                
            int stat = http.getResponseCode();
                
        
            if (stat >= 300 && stat <= 307 && stat != 306 &&
                        
                stat != HttpURLConnection.HTTP_NOT_MODIFIED) {
                    
                URL base = http.getURL();
                    
                
                String loc = http.getHeaderField("Location");
                    
                URL target = null;
                    
                if (loc != null) {
                        
                    target = new URL(base, loc);
                    
                }
                    
                http.disconnect();
         

                // Redirection should be allowed only for HTTP 
                // and HTTPS, and should be limited to 5 
                // redirections at most.
                //           
                if (target == null
                        
                   || !(target.getProtocol().equals("http")
                        ||
target.getProtocol().equals("https"))
                   || redirects >= 5)
                    {
                {

                     throw new SecurityException("illegal URL
redirect");
                                }

                redir = true;
                    
                c = target.openConnection();
                    
                redirects++;
                
            }
            
        }
        
    } while (redir);
        
        
    return in;
    
}
        
public void makeConnection(URL url)
{
    URLConnection conn = url.openConnection();
    InputStream is = openConnectionCheckRedirects(conn);
    ....        
    is.close();
}


Related Information