[
https://issues.apache.org/jira/browse/JENA-2203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452965#comment-17452965
]
Andy Seaborne edited comment on JENA-2203 at 12/3/21, 12:15 PM:
----------------------------------------------------------------
Hi [~beaudet] -- thanks for this and thanks for testing 4.3.0.
The issue in the purl.org example is that there are two redirects at purl.org
for this: first http->https to get https at purl.org , then https->http at
otherServer. {{NORMAL}} does not follow the second step because it is "https"
to "http" (the difference between {{NORMAL}} and {{ALWAYS}}).
We probably should set {{ALWAYS}} for the 4.3 release as it is compatible
(JENA-1263).
I'd like to understand why the JDK HttpClient has made the choice it has for
some security concern. Jena could provide managed https->http redirects itself
in some kind of whitelist fashion but that isn't ideal for usability reasons.
{{wget -S http://purl.org/iso25964/skos-thes}} ==> (abbreviated)
{noformat}
--2021-12-03 11:55:33-- http://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:80...
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
location: https://purl.org/iso25964/skos-thes
Location: https://purl.org/iso25964/skos-thes [following]
--2021-12-03 11:55:33-- https://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 303 SEE OTHER
location: http://pub.tenforce.com/schemas/iso25964/skos-thes
Location: http://pub.tenforce.com/schemas/iso25964/skos-thes [following]
--2021-12-03 11:55:34-- http://pub.tenforce.com/schemas/iso25964/skos-thes
Connecting to pub.tenforce.com (pub.tenforce.com)|185.105.200.57|:80...
connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
{noformat}
{{HttpClient.Redirect}} =>
{code:java}
/**
* Always redirect, except from HTTPS URLs to HTTP URLs.
*/
NORMAL
{code}
was (Author: andy.seaborne):
Hi [~beaudet] -- thanks for this and thanks for testing 4.3.0.
The issue in the purl.org example is that there are two redirects at purl.org
for this: first http->https to get https://purl.org/ , then
https->http://otherServer/. {{NORMAL}} does not follow the second step because
it is "https" to "http" (the difference between {{NORMAL}} and {{ALWAYS}}).
We probably should set {{ALWAYS}} for the 4.3 release as it is compatible
(JENA-1263).
I'd like to understand why the JDK HttpClient has made the choice it has for
some security concern. Jena could provide managed https->http redirects itself
in some kind of whitelist fashion but that isn't ideal for usability reasons.
{{wget -S http://purl.org/iso25964/skos-thes}} ==> (abbreviated)
{noformat}
--2021-12-03 11:55:33-- http://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:80...
HTTP request sent, awaiting response...
HTTP/1.1 301 Moved Permanently
location: https://purl.org/iso25964/skos-thes
Location: https://purl.org/iso25964/skos-thes [following]
--2021-12-03 11:55:33-- https://purl.org/iso25964/skos-thes
Connecting to purl.org (purl.org)|207.241.239.242|:443... connected.
HTTP request sent, awaiting response...
HTTP/1.1 303 SEE OTHER
location: http://pub.tenforce.com/schemas/iso25964/skos-thes
Location: http://pub.tenforce.com/schemas/iso25964/skos-thes [following]
--2021-12-03 11:55:34-- http://pub.tenforce.com/schemas/iso25964/skos-thes
Connecting to pub.tenforce.com (pub.tenforce.com)|185.105.200.57|:80...
connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
{noformat}
{{HttpClient.Redirect}} =>
{code:java}
/**
* Always redirect, except from HTTPS URLs to HTTP URLs.
*/
NORMAL
{code}
> 303 redirect issues cropped up again in 4.3 snapshot
> ----------------------------------------------------
>
> Key: JENA-2203
> URL: https://issues.apache.org/jira/browse/JENA-2203
> Project: Apache Jena
> Issue Type: Improvement
> Affects Versions: Jena 4.3.0
> Reporter: David Beaudet
> Priority: Major
>
> The same issue noted in #JENA-1263 with 303 redirects not being followed when
> loading ontologies seems to have cropped up again in version 4.3.0 and
> requires the following workaround in client code:
> static {
> HttpEnv.setDftHttpClient(
> HttpClient.newBuilder()
> .connectTimeout(Duration.ofSeconds(10))
> .followRedirects(Redirect.ALWAYS)
> .build()
> );
> The default builder sets Redirect.NORMAL which, at least in the latest
> versions of Java (I'm using OpenJDK 16) doesn't appear to follow 303.
>
> Can reproduce with the following:
> OntModel data =
> ModelFactory.createOntologyModel(OntModelSpec.OWL_DL_MEM_RULE_INF);
> data.read("http://purl.org/iso25964/skos-thes";);
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
