You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Andy Seaborne (Jira)" <ji...@apache.org> on 2021/12/03 12:15:00 UTC
[jira] [Commented] (JENA-2203) 303 redirect issues cropped up again in 4.3 snapshot
[ https://issues.apache.org/jira/browse/JENA-2203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452965#comment-17452965 ]
Andy Seaborne commented on JENA-2203:
-------------------------------------
Hi [~beaudet] -- thanks for this and thanks for testing 4.3.0.
The issue in the purl.org example is that there are two redirects at purl.org for this: first http->https to get https://purl.org/ , then https->http://otherServer/. {{NORMAL}} does not follow the second step because it is "https" to "http" (the difference between {{NORMAL}} and {{ALWAYS}}).
We probably should set {{ALWAYS}} for the 4.3 release as it is compatible (JENA-1263).
I'd like to understand why the JDK HttpClient has made the choice it has for some security concern. Jena could provide managed https->http redirects itself in some kind of whitelist fashion but that isn't ideal for usability reasons.
{{wget -S http://purl.org/iso25964/skos-thes}} ==> (abbreviated)
{noformat}
--2021-12-03 11:55:33-- http://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:80...
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
location: https://purl.org/iso25964/skos-thes
Location: https://purl.org/iso25964/skos-thes [following]
--2021-12-03 11:55:33-- https://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 303 SEE OTHER
location: http://pub.tenforce.com/schemas/iso25964/skos-thes
Location: http://pub.tenforce.com/schemas/iso25964/skos-thes [following]
--2021-12-03 11:55:34-- http://pub.tenforce.com/schemas/iso25964/skos-thes
Connecting to pub.tenforce.com (pub.tenforce.com)|185.105.200.57|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
{noformat}
{{HttpClient.Redirect}} =>
{code:java}
/**
* Always redirect, except from HTTPS URLs to HTTP URLs.
*/
NORMAL
{code}
> 303 redirect issues cropped up again in 4.3 snapshot
> ----------------------------------------------------
>
> Key: JENA-2203
> URL: https://issues.apache.org/jira/browse/JENA-2203
> Project: Apache Jena
> Issue Type: Improvement
> Affects Versions: Jena 4.3.0
> Reporter: David Beaudet
> Priority: Major
>
> The same issue noted in #JENA-1263 with 303 redirects not being followed when loading ontologies seems to have cropped up again in version 4.3.0 and requires the following workaround in client code:
> static {
> HttpEnv.setDftHttpClient(
> HttpClient.newBuilder()
> .connectTimeout(Duration.ofSeconds(10))
> .followRedirects(Redirect.ALWAYS)
> .build()
> );
> The default builder sets Redirect.NORMAL which, at least in the latest versions of Java (I'm using OpenJDK 16) doesn't appear to follow 303.
>
> Can reproduce with the following:
> OntModel data = ModelFactory.createOntologyModel(OntModelSpec.OWL_DL_MEM_RULE_INF);
> data.read("http://purl.org/iso25964/skos-thes");
--
This message was sent by Atlassian Jira
(v8.20.1#820001)