Unify HTTP client redirect behavior and provide configuration option

Update `ClientHttpRequestFactoryBuilder` implementations to ensure
that all libraries have consistent redirect follow behavior. Following
of redirects is enabled by default.

The `ClientHttpRequestFactorySettings` may be used to change if
redirects should be followed. The `spring.http.client.redirects`
property may also be used to update the default behavior.

Closes gh-42879

Author: philwebb

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/http/client/HttpClientAutoConfiguration.java

@@ -58,8 +58,8 @@ ClientHttpRequestFactoryBuilder<?> clientHttpRequestFactoryBuilder(HttpClientPro
 	ClientHttpRequestFactorySettings clientHttpRequestFactorySettings(HttpClientProperties httpClientProperties,
 			ObjectProvider<SslBundles> sslBundles) {
 		SslBundle sslBundle = getSslBundle(httpClientProperties.getSsl(), sslBundles);
-		return new ClientHttpRequestFactorySettings(httpClientProperties.getConnectTimeout(),
-				httpClientProperties.getReadTimeout(), sslBundle);
+		return new ClientHttpRequestFactorySettings(httpClientProperties.getRedirects(),
+				httpClientProperties.getConnectTimeout(), httpClientProperties.getReadTimeout(), sslBundle);
 	}
 
 	private SslBundle getSslBundle(HttpClientProperties.Ssl properties, ObjectProvider<SslBundles> sslBundles) {

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/http/client/HttpClientProperties.java

@@ -21,6 +21,7 @@
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.http.client.ClientHttpRequestFactoryBuilder;
+import org.springframework.boot.http.client.ClientHttpRequestFactorySettings.Redirects;
 
 /**
  * {@link ConfigurationProperties @ConfigurationProperties} for a Spring's blocking HTTP
@@ -37,6 +38,11 @@ public class HttpClientProperties {
 	 */
 	private Factory factory;
 
+	/**
+	 * Handling for HTTP redirects.
+	 */
+	private Redirects redirects = Redirects.FOLLOW_WHEN_POSSIBLE;
+
 	/**
 	 * Default connect timeout for a client HTTP request.
 	 */
@@ -60,6 +66,14 @@ public void setFactory(Factory factory) {
 		this.factory = factory;
 	}
 
+	public Redirects getRedirects() {
+		return this.redirects;
+	}
+
+	public void setRedirects(Redirects redirects) {
+		this.redirects = redirects;
+	}
+
 	public Duration getConnectTimeout() {
 		return this.connectTimeout;
 	}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/http/client/HttpClientAutoConfigurationTests.java

@@ -26,6 +26,7 @@
 import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
 import org.springframework.boot.http.client.ClientHttpRequestFactoryBuilder;
 import org.springframework.boot.http.client.ClientHttpRequestFactorySettings;
+import org.springframework.boot.http.client.ClientHttpRequestFactorySettings.Redirects;
 import org.springframework.boot.http.client.SimpleClientHttpRequestFactoryBuilder;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
@@ -60,10 +61,11 @@ void configuresDefinedClientHttpRequestFactoryBuilder() {
 	@Test
 	void configuresClientHttpRequestFactorySettings() {
 		this.contextRunner.withPropertyValues(sslPropertyValues().toArray(String[]::new))
-			.withPropertyValues("spring.http.client.connect-timeout=10s", "spring.http.client.read-timeout=20s",
-					"spring.http.client.ssl.bundle=test")
+			.withPropertyValues("spring.http.client.redirects=dont-follow", "spring.http.client.connect-timeout=10s",
+					"spring.http.client.read-timeout=20s", "spring.http.client.ssl.bundle=test")
 			.run((context) -> {
 				ClientHttpRequestFactorySettings settings = context.getBean(ClientHttpRequestFactorySettings.class);
+				assertThat(settings.redirects()).isEqualTo(Redirects.DONT_FOLLOW);
 				assertThat(settings.connectTimeout()).isEqualTo(Duration.ofSeconds(10));
 				assertThat(settings.readTimeout()).isEqualTo(Duration.ofSeconds(20));
 				assertThat(settings.sslBundle().getKey().getAlias()).isEqualTo("alias1");

spring-boot-project/spring-boot-test/src/main/java/org/springframework/boot/test/web/client/TestRestTemplate.java

@@ -1018,7 +1018,7 @@ protected static class CustomHttpComponentsClientHttpRequestFactory extends Http
 		@SuppressWarnings("removal")
 		public CustomHttpComponentsClientHttpRequestFactory(HttpClientOption[] httpClientOptions,
 				org.springframework.boot.web.client.ClientHttpRequestFactorySettings settings) {
-			this(httpClientOptions, new ClientHttpRequestFactorySettings(settings.connectTimeout(),
+			this(httpClientOptions, new ClientHttpRequestFactorySettings(null, settings.connectTimeout(),
 					settings.readTimeout(), settings.sslBundle()));
 		}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/http/client/ClientHttpRequestFactorySettings.java

@@ -24,6 +24,8 @@
 /**
  * Settings that can be applied when creating a {@link ClientHttpRequestFactory}.
  *
+ * @param redirects the follow redirect strategy to use or null to redirect whenever the
+ * underlying library allows it
  * @param connectTimeout the connect timeout
  * @param readTimeout the read timeout
  * @param sslBundle the SSL bundle providing SSL configuration
@@ -33,10 +35,15 @@
  * @since 3.4.0
  * @see ClientHttpRequestFactoryBuilder
  */
-public record ClientHttpRequestFactorySettings(Duration connectTimeout, Duration readTimeout, SslBundle sslBundle) {
+public record ClientHttpRequestFactorySettings(Redirects redirects, Duration connectTimeout, Duration readTimeout,
+		SslBundle sslBundle) {
 
 	private static final ClientHttpRequestFactorySettings defaults = new ClientHttpRequestFactorySettings(null, null,
-			null);
+			null, null);
+
+	public ClientHttpRequestFactorySettings {
+		redirects = (redirects != null) ? redirects : Redirects.FOLLOW_WHEN_POSSIBLE;
+	}
 
 	/**
 	 * Return a new {@link ClientHttpRequestFactorySettings} instance with an updated
@@ -45,7 +52,7 @@ public record ClientHttpRequestFactorySettings(Duration connectTimeout, Duration
 	 * @return a new {@link ClientHttpRequestFactorySettings} instance
 	 */
 	public ClientHttpRequestFactorySettings withConnectTimeout(Duration connectTimeout) {
-		return new ClientHttpRequestFactorySettings(connectTimeout, this.readTimeout, this.sslBundle);
+		return new ClientHttpRequestFactorySettings(this.redirects, connectTimeout, this.readTimeout, this.sslBundle);
 	}
 
 	/**
@@ -56,7 +63,7 @@ public ClientHttpRequestFactorySettings withConnectTimeout(Duration connectTimeo
 	 */
 
 	public ClientHttpRequestFactorySettings withReadTimeout(Duration readTimeout) {
-		return new ClientHttpRequestFactorySettings(this.connectTimeout, readTimeout, this.sslBundle);
+		return new ClientHttpRequestFactorySettings(this.redirects, this.connectTimeout, readTimeout, this.sslBundle);
 	}
 
 	/**
@@ -66,7 +73,17 @@ public ClientHttpRequestFactorySettings withReadTimeout(Duration readTimeout) {
 	 * @return a new {@link ClientHttpRequestFactorySettings} instance
 	 */
 	public ClientHttpRequestFactorySettings withSslBundle(SslBundle sslBundle) {
-		return new ClientHttpRequestFactorySettings(this.connectTimeout, this.readTimeout, sslBundle);
+		return new ClientHttpRequestFactorySettings(this.redirects, this.connectTimeout, this.readTimeout, sslBundle);
+	}
+
+	/**
+	 * Return a new {@link ClientHttpRequestFactorySettings} instance with an updated
+	 * redirect setting.
+	 * @param redirects the new redirects setting
+	 * @return a new {@link ClientHttpRequestFactorySettings} instance
+	 */
+	public ClientHttpRequestFactorySettings withRedirects(Redirects redirects) {
+		return new ClientHttpRequestFactorySettings(redirects, this.connectTimeout, this.readTimeout, this.sslBundle);
 	}
 
 	/**
@@ -88,4 +105,26 @@ public static ClientHttpRequestFactorySettings defaults() {
 		return defaults;
 	}
 
+	/**
+	 * Redirect strategies.
+	 */
+	public enum Redirects {
+
+		/**
+		 * Follow redirects (if the underlying library has support).
+		 */
+		FOLLOW_WHEN_POSSIBLE,
+
+		/**
+		 * Follow redirects (fail if the underlying library has not support).
+		 */
+		FOLLOW,
+
+		/**
+		 * Don't follow redirects (fail if the underlying library has not support).
+		 */
+		DONT_FOLLOW
+
+	}
+
 }

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/http/client/HttpComponentsClientHttpRequestFactoryBuilder.java

@@ -16,6 +16,7 @@
 
 package org.springframework.boot.http.client;
 
+import java.net.URI;
 import java.time.Duration;
 import java.util.Collection;
 import java.util.Collections;
@@ -24,14 +25,21 @@
 import java.util.function.Consumer;
 
 import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.impl.DefaultRedirectStrategy;
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.protocol.RedirectStrategy;
 import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
+import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.HttpRequest;
+import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.io.SocketConfig;
+import org.apache.hc.core5.http.protocol.HttpContext;
 
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.http.client.ClientHttpRequestFactorySettings.Redirects;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslOptions;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
@@ -72,31 +80,35 @@ public HttpComponentsClientHttpRequestFactoryBuilder withCustomizers(
 	@Override
 	protected HttpComponentsClientHttpRequestFactory createClientHttpRequestFactory(
 			ClientHttpRequestFactorySettings settings) {
-		HttpClient httpClient = createHttpClient(settings.readTimeout(), settings.sslBundle());
+		HttpClient httpClient = createHttpClient(settings);
 		HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
 		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
 		map.from(settings::connectTimeout).asInt(Duration::toMillis).to(factory::setConnectTimeout);
 		return factory;
 	}
 
-	private HttpClient createHttpClient(Duration readTimeout, SslBundle sslBundle) {
+	private HttpClient createHttpClient(ClientHttpRequestFactorySettings settings) {
 		return HttpClientBuilder.create()
 			.useSystemProperties()
-			.setConnectionManager(createConnectionManager(readTimeout, sslBundle))
+			.setRedirectStrategy(asRedirectStrategy(settings.redirects()))
+			.setConnectionManager(createConnectionManager(settings))
 			.build();
 	}
 
-	private PoolingHttpClientConnectionManager createConnectionManager(Duration readTimeout, SslBundle sslBundle) {
-		PoolingHttpClientConnectionManagerBuilder connectionManagerBuilder = PoolingHttpClientConnectionManagerBuilder
-			.create();
-		if (readTimeout != null) {
-			connectionManagerBuilder.setDefaultSocketConfig(createSocketConfig(readTimeout));
-		}
-		if (sslBundle != null) {
-			connectionManagerBuilder.setTlsSocketStrategy(createTlsSocketStrategy(sslBundle));
-		}
-		PoolingHttpClientConnectionManager connectionManager = connectionManagerBuilder.useSystemProperties().build();
-		return connectionManager;
+	private RedirectStrategy asRedirectStrategy(Redirects redirects) {
+		return switch (redirects) {
+			case FOLLOW_WHEN_POSSIBLE -> DefaultRedirectStrategy.INSTANCE;
+			case FOLLOW -> DefaultRedirectStrategy.INSTANCE;
+			case DONT_FOLLOW -> NoFollowRedirectStrategy.INSTANCE;
+		};
+	}
+
+	private PoolingHttpClientConnectionManager createConnectionManager(ClientHttpRequestFactorySettings settings) {
+		PoolingHttpClientConnectionManagerBuilder builder = PoolingHttpClientConnectionManagerBuilder.create();
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		map.from(settings::readTimeout).as(this::createSocketConfig).to(builder::setDefaultSocketConfig);
+		map.from(settings::sslBundle).as(this::createTlsSocketStrategy).to(builder::setTlsSocketStrategy);
+		return builder.useSystemProperties().build();
 	}
 
 	private DefaultClientTlsStrategy createTlsSocketStrategy(SslBundle sslBundle) {
@@ -110,6 +122,30 @@ private SocketConfig createSocketConfig(Duration readTimeout) {
 		return SocketConfig.custom().setSoTimeout((int) readTimeout.toMillis(), TimeUnit.MILLISECONDS).build();
 	}
 
+	/**
+	 * {@link RedirectStrategy} that never follows redirects.
+	 */
+	private static final class NoFollowRedirectStrategy implements RedirectStrategy {
+
+		private static final RedirectStrategy INSTANCE = new NoFollowRedirectStrategy();
+
+		private NoFollowRedirectStrategy() {
+		}
+
+		@Override
+		public boolean isRedirected(HttpRequest request, HttpResponse response, HttpContext context)
+				throws HttpException {
+			return false;
+		}
+
+		@Override
+		public URI getLocationURI(HttpRequest request, HttpResponse response, HttpContext context)
+				throws HttpException {
+			return null;
+		}
+
+	}
+
 	static class Classes {
 
 		static final String HTTP_CLIENTS = "org.apache.hc.client5.http.impl.classic.HttpClients";

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/http/client/JdkClientHttpRequestFactoryBuilder.java

@@ -17,12 +17,13 @@
 package org.springframework.boot.http.client;
 
 import java.net.http.HttpClient;
-import java.time.Duration;
+import java.net.http.HttpClient.Redirect;
 import java.util.Collection;
 import java.util.List;
 import java.util.function.Consumer;
 
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.http.client.ClientHttpRequestFactorySettings.Redirects;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.http.client.JdkClientHttpRequestFactory;
 import org.springframework.util.ClassUtils;
@@ -59,24 +60,30 @@ public JdkClientHttpRequestFactoryBuilder withCustomizers(
 
 	@Override
 	protected JdkClientHttpRequestFactory createClientHttpRequestFactory(ClientHttpRequestFactorySettings settings) {
-		HttpClient httpClient = createHttpClient(settings.connectTimeout(), settings.sslBundle());
+		HttpClient httpClient = createHttpClient(settings);
 		JdkClientHttpRequestFactory requestFactory = new JdkClientHttpRequestFactory(httpClient);
 		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
 		map.from(settings::readTimeout).to(requestFactory::setReadTimeout);
 		return requestFactory;
 	}
 
-	private HttpClient createHttpClient(Duration connectTimeout, SslBundle sslBundle) {
+	private HttpClient createHttpClient(ClientHttpRequestFactorySettings settings) {
 		HttpClient.Builder httpClientBuilder = HttpClient.newBuilder();
-		if (connectTimeout != null) {
-			httpClientBuilder.connectTimeout(connectTimeout);
-		}
-		if (sslBundle != null) {
-			httpClientBuilder.sslContext(sslBundle.createSslContext());
-		}
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		map.from(settings::connectTimeout).to(httpClientBuilder::connectTimeout);
+		map.from(settings::sslBundle).as(SslBundle::createSslContext).to(httpClientBuilder::sslContext);
+		map.from(settings::redirects).as(this::asHttpClientRedirect).to(httpClientBuilder::followRedirects);
 		return httpClientBuilder.build();
 	}
 
+	private Redirect asHttpClientRedirect(Redirects redirects) {
+		return switch (redirects) {
+			case FOLLOW_WHEN_POSSIBLE -> Redirect.NORMAL;
+			case FOLLOW -> Redirect.NORMAL;
+			case DONT_FOLLOW -> Redirect.NEVER;
+		};
+	}
+
 	static class Classes {
 
 		static final String HTTP_CLIENT = "java.net.http.HttpClient";