On 08/08/12 21:35, Chris Hegarty wrote:
Great suggestion Anthony,
This is something that comes up from time to time. With the clear
distinction between java.net.HttpURLConnection and
javax.net.ssl.HttpsURLConnection API's then it was a little difficult
to do in the existing API, but there is a clear opportunity with the
new API to avoid this issue in the future.
Kurchi just informed me (off-list) that the current prototype
implementation in the java.net project [1], supports cross protocol
redirects. Though, this may be by accident! We need to do some further
investigating to determine if the security concerns related to 4620571
are still valid. If so, and we cannot continue with automatic cross
protocol redirects, then an explicit API ( like you suggested ) should
be added.
Chris,
That behavior isn't accidental. It's one reason why SSL configuration is
a "property" of HttpClient rather than
defined in a sub-class like HttpsClient.
I agree the security concern needs to be understood (though I'm not sure
I see a problem right now).
The exact behavior of these classes isn't fully defined yet, in the
context of a security manager.
- Michael.