Changeset 18913 in josm for trunk/src/org

Timestamp:

2023-12-14T16:31:54+01:00 (7 months ago)

Author:

taylor.smock

Message:

See #22596: Some hosts redirect to another host for authentication (patch by hhtznr, modified)

This lets plugins do authentication with hosts that redirect to another host
for authentication.

File:

• trunk/src/org/openstreetmap/josm/tools/HttpClient.java (modified) (4 diffs)

trunk/src/org/openstreetmap/josm/tools/HttpClient.java

@@ -9 +9 @@
 import java.net.CookieHandler;
 import java.net.CookieManager;
+import java.net.CookiePolicy;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
@@ -84 +85 @@
     static {
         try {
-            CookieHandler.setDefault(new CookieManager());
+            CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ALL));
         } catch (SecurityException e) {
             Logging.log(Logging.LEVEL_ERROR, "Unable to set default cookie handler", e);
@@ -133 +134 @@
      */
     public final Response connect(ProgressMonitor progressMonitor) throws IOException {
+        return connect(progressMonitor, null, null);
+    }
+
+    /**
+     * Opens the HTTP connection.
+     * @param progressMonitor progress monitor
+     * @param authRedirectLocation The location where we will be redirected for authentication
+     * @param authRequestProperty The authorization header to set when being redirected to the auth location
+     * @return HTTP response
+     * @throws IOException if any I/O error occurs
+     * @since 18913
+     */
+    public final Response connect(ProgressMonitor progressMonitor, String authRedirectLocation, String authRequestProperty) throws IOException {
         if (progressMonitor == null) {
             progressMonitor = NullProgressMonitor.INSTANCE;
@@ -184 +198 @@
                     maxRedirects--;
                     logRequest(tr("Download redirected to ''{0}''", redirectLocation));
-                    // Fix JOSM #21935: Avoid leaking `Authorization` header on redirects.
-                    if (!Objects.equals(oldUrl.getHost(), this.url.getHost()) && this.getRequestHeader("Authorization") != null) {
+                    if (authRedirectLocation != null && authRequestProperty != null && redirectLocation.startsWith(authRedirectLocation)) {
+                        setHeader("Authorization", authRequestProperty);
+                    } else if (!Objects.equals(oldUrl.getHost(), this.url.getHost()) && this.getRequestHeader("Authorization") != null) {
+                        // Fix JOSM #21935: Avoid leaking `Authorization` header on redirects.
                         logRequest(tr("Download redirected to different host (''{0}'' -> ''{1}''), removing authorization headers",
                                 oldUrl.getHost(), url.getHost()));