Skip to content

java: default to allow redirects + disable configuration#27

Merged
daniel-mohedano merged 1 commit into
mainfrom
daniel.mohedano/redirect-handling
May 21, 2026
Merged

java: default to allow redirects + disable configuration#27
daniel-mohedano merged 1 commit into
mainfrom
daniel.mohedano/redirect-handling

Conversation

@daniel-mohedano

Copy link
Copy Markdown
Contributor

What does this PR do?

  • Changes the default when providing an auth header through DD_SET_AUTH_HEADER_JAVA to follow redirects. This was originally avoided due to security concerns about leaking users authentication header, but curl strips Authorization and Cookie headers on cross-origin redirects by default. wget doesn't strip any of the headers, but is only used as a fallback if curl is not available
  • To ensure users can still be secured against this issue, a new DD_SET_AUTH_HEADER_JAVA_DISABLE_REDIRECTS is provided to allow disabling redirects altogether.

Motivation

Artifactory systems might depend on redirects to resolve the downloads. Disabling them goes against the feature itself.

Additional Notes

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

@daniel-mohedano
daniel-mohedano requested a review from a team as a code owner May 21, 2026 14:57
@daniel-mohedano
daniel-mohedano merged commit d803243 into main May 21, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants