You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Andy Seaborne (Jira)" <ji...@apache.org> on 2021/12/03 12:16:00 UTC

[jira] [Comment Edited] (JENA-2203) 303 redirect issues cropped up again in 4.3 snapshot

    [ https://issues.apache.org/jira/browse/JENA-2203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452965#comment-17452965 ] 

Andy Seaborne edited comment on JENA-2203 at 12/3/21, 12:15 PM:
----------------------------------------------------------------

Hi [~beaudet] -- thanks for this and thanks for testing 4.3.0.

The issue in the purl.org example is that there are two redirects at purl.org for this: first http->https to get https at purl.org , then https->http at otherServer. {{NORMAL}} does not follow the second step because it is "https" to "http" (the difference between {{NORMAL}} and {{ALWAYS}}).

We probably should set {{ALWAYS}} for the 4.3 release as it is compatible (JENA-1263).

I'd like to understand why the JDK HttpClient has made the choice it has for some security concern. Jena could provide managed https->http redirects itself in some kind of whitelist fashion but that isn't ideal for usability reasons.

{{wget -S  http://purl.org/iso25964/skos-thes}} ==> (abbreviated)

{noformat}
--2021-12-03 11:55:33--  http://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:80...
HTTP request sent, awaiting response... 
  HTTP/1.1 301 Moved Permanently
  location: https://purl.org/iso25964/skos-thes
Location: https://purl.org/iso25964/skos-thes [following]

--2021-12-03 11:55:33--  https://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 303 SEE OTHER
  location: http://pub.tenforce.com/schemas/iso25964/skos-thes
Location: http://pub.tenforce.com/schemas/iso25964/skos-thes [following]

--2021-12-03 11:55:34--  http://pub.tenforce.com/schemas/iso25964/skos-thes
Connecting to pub.tenforce.com (pub.tenforce.com)|185.105.200.57|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
{noformat}

{{HttpClient.Redirect}} =>

{code:java}
       /**
         * Always redirect, except from HTTPS URLs to HTTP URLs.
         */
        NORMAL
{code}



was (Author: andy.seaborne):
Hi [~beaudet] -- thanks for this and thanks for testing 4.3.0.

The issue in the purl.org example is that there are two redirects at purl.org for this: first http->https to get https://purl.org/ , then https->http://otherServer/. {{NORMAL}} does not follow the second step because it is "https" to "http" (the difference between {{NORMAL}} and {{ALWAYS}}).

We probably should set {{ALWAYS}} for the 4.3 release as it is compatible (JENA-1263).

I'd like to understand why the JDK HttpClient has made the choice it has for some security concern. Jena could provide managed https->http redirects itself in some kind of whitelist fashion but that isn't ideal for usability reasons.

{{wget -S  http://purl.org/iso25964/skos-thes}} ==> (abbreviated)

{noformat}
--2021-12-03 11:55:33--  http://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:80...
HTTP request sent, awaiting response... 
  HTTP/1.1 301 Moved Permanently
  location: https://purl.org/iso25964/skos-thes
Location: https://purl.org/iso25964/skos-thes [following]

--2021-12-03 11:55:33--  https://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 303 SEE OTHER
  location: http://pub.tenforce.com/schemas/iso25964/skos-thes
Location: http://pub.tenforce.com/schemas/iso25964/skos-thes [following]

--2021-12-03 11:55:34--  http://pub.tenforce.com/schemas/iso25964/skos-thes
Connecting to pub.tenforce.com (pub.tenforce.com)|185.105.200.57|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
{noformat}

{{HttpClient.Redirect}} =>

{code:java}
       /**
         * Always redirect, except from HTTPS URLs to HTTP URLs.
         */
        NORMAL
{code}


> 303 redirect issues cropped up again in 4.3 snapshot
> ----------------------------------------------------
>
>                 Key: JENA-2203
>                 URL: https://issues.apache.org/jira/browse/JENA-2203
>             Project: Apache Jena
>          Issue Type: Improvement
>    Affects Versions: Jena 4.3.0
>            Reporter: David Beaudet
>            Priority: Major
>
> The same issue noted in #JENA-1263 with 303 redirects not being followed when loading ontologies seems to have cropped up again in version 4.3.0 and requires the following workaround in client code:
>     static {
>         HttpEnv.setDftHttpClient(
>                 HttpClient.newBuilder()
>                     .connectTimeout(Duration.ofSeconds(10))
>                     .followRedirects(Redirect.ALWAYS)
>                     .build()
>         );
> The default builder sets Redirect.NORMAL which, at least in the latest versions of Java (I'm using OpenJDK 16) doesn't appear to follow 303. 
>  
> Can reproduce with the following:
>         OntModel data = ModelFactory.createOntologyModel(OntModelSpec.OWL_DL_MEM_RULE_INF);
>         data.read("http://purl.org/iso25964/skos-thes");



--
This message was sent by Atlassian Jira
(v8.20.1#820001)