Spring Code returns hard instance of HttpURLConnection rather than URLConnection

https://github.com/spring-projects/spring-framework/blob/b595dc1dfad9db534ca7b9e8f46bb9926b88ab5a/spring-web/src/main/java/org/springframework/http/client/SimpleClientHttpRequestFactory.java#L187

As documented here : https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrations.html the code should be able to handle classpath:, file: and http: but since it just uses a RestTemplate.getForObject, which delegates to SimpleClientHttpRequestFactory, there is nothing that will work except a http request. Im not sure where to place this issue, but the offending code error is here and the URLConnection is there for the taking. The actual instance returned for file is "sun.net.www.protocol.file.FileURLConnection" which extends URLConnection (https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/sun/net/www/protocol/file/FileURLConnection.java)

Comment From: mdeinum

The RelyingPartyRegistrations uses a ResourceLoader and to be more precise a DefaultResourceLoader. There is no reference in either the RelyingPartyRegistrations nor the DefaultResourceLoader to a RestTemplate.

The DefaultResourceLoader is more than capable of loading file:, classpath: or http(s): based resources.

Comment From: rstoyanchev

Indeed this doesn't seem to be Spring Framework related. @jzheaux do you have any suggestions?

Comment From: crazyguyonabike

This was an issue with 5.4.5. Upgrading to 5.5 the code changed to use the Resource Loader

Comment From: mdeinum

The documentation linked is for the 5.5.x version, the 5.4.x doesn't have that documentation. Looks like a case of reading uptodate documentation but using an older version instead.

The support for reading files has been added explicitly in 5.5.x (see https://github.com/spring-projects/spring-security/issues/9028), so apparently it wasn't supported before that.

Comment From: jzheaux

@richardcs I agree with @mdeinum's analysis here. If you still feel like this is an issue, please feel free to use Spring Security's issue tracker , and I'd be happy to take a closer look.