(cxf) 01/01: CXF-8746: Support forcing GET method on 301/302 redirects

Thu, 12 Mar 2026 00:13:46 -0700 

This is an automated email from the ASF dual-hosted git repository.

gnodet pushed a commit to branch fix/force-get-on-redirect
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 2d77b2726c6385e16b61af2f2fa302d3989713e8
Author: Guillaume Nodet <[email protected]>
AuthorDate: Thu Mar 12 08:13:31 2026 +0100

    CXF-8746: Support forcing GET method on 301/302 redirects
    
    Add http.redirect.force.GET property to HTTPConduit that, when enabled,
    changes the request method from POST to GET on 301/302 redirects per
    RFC 7231 Sections 6.4.2/6.4.3 historical behavior.
    
    Co-Authored-By: Claude Opus 4.6 <[email protected]>
---
 .../main/java/org/apache/cxf/transport/http/HTTPConduit.java  | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
index dcbcc8fbe5..b49db36ef7 100644
--- 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
+++ 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
@@ -205,6 +205,7 @@ public abstract class HTTPConduit
     private static final String AUTO_REDIRECT_ALLOW_REL_URI = 
"http.redirect.relative.uri";
     private static final String AUTO_REDIRECT_ALLOWED_URI = 
"http.redirect.allowed.uri";
     private static final String AUTO_REDIRECT_MAX_SAME_URI_COUNT = 
"http.redirect.max.same.uri.count";
+    private static final String AUTO_REDIRECT_FORCE_GET = 
"http.redirect.force.GET";
 
     private static final String HTTP_POST_METHOD = "POST";
     private static final String HTTP_GET_METHOD = "GET";
@@ -1546,6 +1547,16 @@ public abstract class HTTPConduit
             if (newURL != null) {
                 new Headers(outMessage).removeAuthorizationHeaders();
 
+                // RFC 7231 Sections 6.4.2/6.4.3: For historical reasons, a 
user agent MAY
+                // change the request method from POST to GET for 301/302 
redirects.
+                // This is enabled via the "http.redirect.force.GET" property.
+                int responseCode = getResponseCode();
+                if ((responseCode == HttpURLConnection.HTTP_MOVED_PERM
+                        || responseCode == HttpURLConnection.HTTP_MOVED_TEMP)
+                        && MessageUtils.getContextualBoolean(outMessage, 
AUTO_REDIRECT_FORCE_GET)) {
+                    outMessage.put(Message.HTTP_REQUEST_METHOD, 
HTTP_GET_METHOD);
+                }
+
                 // If user configured this Conduit with preemptive 
authorization
                 // it is meant to make it to the end. (Too bad that information
                 // went to every URL along the way, but that's what the user

Reply via email to