Why Doesn't Java's HttpURLConnection Follow HTTP to HTTPS Redirects by Default?

Secure Redirection Issues with HTTPURLConnection

In Java, HttpURLConnection encounters difficulties when following HTTP redirects that transition from HTTP to HTTPS URLs. This behavior, observed in certain scenarios, has puzzled developers seeking to understand the underlying cause.

To illustrate the problem, consider the following code snippet:

import java.net.URL;
import java.net.HttpURLConnection;
import java.io.InputStream;

public class Tester {

    public static void main(String argv[]) throws Exception{
        InputStream is = null;

        try {
            String httpUrl = "http://httpstat.us/301";
            URL resourceUrl = new URL(httpUrl);
            HttpURLConnection conn = (HttpURLConnection)resourceUrl.openConnection();
            conn.setConnectTimeout(15000);
            conn.setReadTimeout(15000);
            conn.connect();
            is = conn.getInputStream();
            System.out.println("Original URL: "+httpUrl);
            System.out.println("Connected to: "+conn.getURL());
            System.out.println("HTTP response code received: "+conn.getResponseCode());
            System.out.println("HTTP response message received: "+conn.getResponseMessage());
       } finally {
            if (is != null) is.close();
        }
    }
}

When running this program with the initial URL set to "http://httpstat.us/301," the output reveals that Java's HttpURLConnection does not follow the redirect to "https://httpstat.us."

Understanding the Behavior

The explanation for this behavior lies in the way Java handles redirects. By default, redirects are followed only if they use the same protocol. This restriction is implemented in the followRedirect() method.

It is important to note that HTTPS, while mimicking HTTP, is considered a distinct protocol from HTTP from the protocol perspective. As a result, Java requires user approval to follow a redirect from HTTP to HTTPS. This precaution is necessary to protect against potential security concerns.

For instance, if a client is configured for automatic client authentication while using HTTP for anonymous browsing, following a HTTPS redirect without explicit user consent would reveal the client's identity to the server.

The above is the detailed content of Why Doesn't Java's HttpURLConnection Follow HTTP to HTTPS Redirects by Default?. For more information, please follow other related articles on the PHP Chinese website!