hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dariusz Kordonski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1716) DefaultRedirectStrategy seems to disregard HTTP spec for PUT/POST/DELETE request redirects
Date Thu, 28 Jan 2016 11:49:39 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15121266#comment-15121266

Dariusz Kordonski commented on HTTPCLIENT-1716:

Hi Oleg,

thanks for pointing that out, I wasn't aware of the new revision of HTTP 1.1, I was basing
my comments on the outdated docs and what I read on the web. I guess in such case it's definitely
not a bug, although my reading of 

Automatic redirection needs to done with care for methods not known to be safe, as defined
in Section 4.2.1, since the user might not wish to redirect an unsafe request.

is that idempotent methods are not necessarily always OK to automatically redirect (as opposed
to safe methods, to which PUT does not belong as per 4.2.1). 

However I don't have much expertise in interpreting specifications and I raised this issue
with the "traditional" interpretation of 3xx restrictions in mind, so feel free to close it
(with the hope that the docs of {{DefaultRedirectStrategy}} will be updated at some point).

Best regards,
Dariusz Kordonski

> DefaultRedirectStrategy seems to disregard HTTP spec for PUT/POST/DELETE request redirects
> ------------------------------------------------------------------------------------------
>                 Key: HTTPCLIENT-1716
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1716
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 5.0 Alpha1
>            Reporter: Dariusz Kordonski
> Observed on {{trunk}} branch that has 5.0-alpha2-SNAPSHOT mvn version.
> The docs for {{DefaultRedirectStrategy}} correctly state:
> {quote}
> This strategy honors the restrictions on automatic redirection of entity enclosing methods
such as POST and PUT imposed by the HTTP specification. \{@code 302 Moved Temporarily\}, \{@code
301 Moved Permanently\} and \{@code 307 Temporary Redirect\} status codes will result in an
automatic redirect of HEAD and GET methods only. POST and PUT methods will not be automatically
redirected as requiring user confirmation.
> {quote}
> (NB: in fact to be more precise I think DELETE requests should also be *not* automatically
> However the actual implementation does not seem to follow this, whereby {{isRedirected}}
pretty much lets all requests through:
> {code}
> switch (statusCode) {
>             case HttpStatus.SC_MOVED_PERMANENTLY:
>             case HttpStatus.SC_MOVED_TEMPORARILY:
>             case HttpStatus.SC_SEE_OTHER:
>             case HttpStatus.SC_TEMPORARY_REDIRECT:
>                 return true;
>             default:
>                 return false;
>         }
> {code}
> A simple failing test case that confirms the problem for a PUT request resulting with
302 (PUT should only be redirected automatically for 303):
> {code}
>     @Test
>     public void testIsRedirectedForTemporaryRedirectPut() throws Exception {
>         final DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
>         final HttpResponse response = new BasicHttpResponse(HttpVersion.HTTP_1_1,
>                 HttpStatus.SC_TEMPORARY_REDIRECT, "Temporary Redirect");
>         response.addHeader("Location", "http://localhost/stuff");
>         final HttpContext context = new BasicHttpContext();
>         assertFalse(redirectStrategy.isRedirected(new HttpPut("http://localhost/"), response,
>     }
> {code}

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message