1 Reply Latest reply on Jul 26, 2019 1:12 PM by Kyle Harris-Oracle

    Difference in HTTPURLRequest between JRE 1.7.0_80 and 1.8.0

    Kyle Harris-Oracle

      I have production code using HTTPURLConnection running on JRE 1.7.0, various builds, hundreds of customers.

       

      A customer logs an issue with JRE 1.7.0_201 stating the server is denying the request with "HTTP/1.1 401 Authorization Required".

       

      After some digging, I am able to replicate the issue on JRE 1.7.0_201 and 1.7.0_231 (latest (?)), but not on the base release of JRE 1.8.0. It seems there was some change in later builds of 1.7, which were then reversed or fixed in 1.8.

       

      Seems like a bug due to the above circumstances. Looking for some direction here.

       

      -Kyle

        • 1. Re: Difference in HTTPURLRequest between JRE 1.7.0_80 and 1.8.0
          Kyle Harris-Oracle

          In case any one else trips on this. It turned out to be a new way of handling connections for security purposes. Redirects are no longer forwarded credentials, the HTTP response during a redirect must be continually handled and then the HTTPUrlConnection object manipulated to access the new URL.

           

          Essentially:

           

          Try URL

          -- get 302 (redirect response code)

          -- get the new location (HTTPUrlConnection.getHeaderField("Location"))

          --Attach the credentials with setReqestProperty("Authorization", "Basic " + encodedPass)

          --Try the new URL

          --Repeat until connected

           

          From the Java team:

          "Better HTTP Redirection Support  In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection  has changed. When a redirect occurs automatically from the original  destination server to a resource on a different server, then all such  properties are cleared for the redirect and any subsequent redirects.

           

          If  these properties are required to be set on the redirected requests,  then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

          Ref: JDK-8196902 (not public) "