This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | AU fails to follow redirects | ||
---|---|---|---|
Product: | platform | Reporter: | _ rkubacki <rkubacki> |
Component: | Autoupdate | Assignee: | Jiri Rechtacek <jrechtacek> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | anebuzelsky, evsmusic, hardyheroin, johnjullion, mmirilovic, musilt2 |
Priority: | P2 | ||
Version: | 7.3 | ||
Hardware: | PC | ||
OS: | All | ||
Issue Type: | DEFECT | Exception Reporter: |
Description
_ rkubacki
2012-03-21 09:00:54 UTC
NBAndroid project has its update center hosted on kenai.com using http://kenai.com/projects/nbandroid/downloads/download/updatecenter/org-netbeans-modules-android-xml.nbm URL. Recently there was a change in project hosting infrastructure that adds an HTTP redirect to this URL: $ curl -i http://kenai.com/projects/nbandroid/downloads/download/updatecenter/updates.xml HTTP/1.1 302 Moved Temporarily Date: Wed, 21 Mar 2012 08:27:14 GMT Cache-Control: no-cache, max-age=0 Location: http://kenai.com/downloads/nbandroid/updatecenter/updates.xml X-Runtime: 0.12700 Content-Type: text/html;charset=utf-8 Content-Length: 127 Set-Cookie: _junction2_session=08f967c86d512fe85ae5eeb8ff41d0d5; domain=.kenai.com; path=/ Expires: Wed, 21 Mar 2012 08:27:14 GMT Vary: Accept-Encoding <html><body>You are being <a href="http://kenai.com/downloads/nbandroid/updatecenter/updates.xml">redirected</a>.</body></html> Unfortunately NetBeans does not process 302 status. It does not even show any notification that this AUC is not reachable. http://docs.oracle.com/javase/1.5.0/docs/api/java/net/HttpURLConnection.html#setFollowRedirects(boolean) should help. We couldn't find a reproducible test-case => closed as WFM for now. I ran into this bug as well A test-case is easily defined, go to Tools - Plugin in any NetBeans Platform Application (including the IDE) (I tested 7.0.1 and 7.3 will all updates) and add the following auc URL to your repositories and reload catalog: http://glotaran.kenai.com/uc/updates.xml I have also described the issue in more detail here: https://kenai.com/jira/browse/KENAI-4151 There you will find the debug output for NetBeans 7.0.1 Here is the shortened debug output for NetBeans 7.3: INFO [org.netbeans.modules.autoupdate.updateprovider.DownloadListener]: Connection content length was 0 bytes (read 0bytes), expected file size can`t be that size - likely server with file at http://glotaran.kenai.com/uc/updates.xml is temporary down INFO [org.netbeans.modules.autoupdate.ui.actions.AutoupdateCheckScheduler] java.io.IOException: Zero sized file reported at http://glotaran.kenai.com/uc/updates.xml at org.netbeans.modules.autoupdate.updateprovider.DownloadListener.doCopy(DownloadListener.java:155) at org.netbeans.modules.autoupdate.updateprovider.DownloadListener.streamOpened(DownloadListener.java:78) at org.netbeans.modules.autoupdate.updateprovider.NetworkAccess$Task$1.run(NetworkAccess.java:99) Caused: java.io.IOException: Zero sized file reported at http://glotaran.kenai.com/uc/updates.xml at org.netbeans.modules.autoupdate.updateprovider.DownloadListener.notifyException(DownloadListener.java:103) Just for the record: I've left kenai.com as hosting site. It is better to set up server somewhere else. (In reply to comment #3) > I ran into this bug as well > > A test-case is easily defined, go to Tools - Plugin in any NetBeans Platform > Application (including the IDE) (I tested 7.0.1 and 7.3 will all updates) and > add the following auc URL to your repositories and reload catalog: > http://glotaran.kenai.com/uc/updates.xml > > I have also described the issue in more detail here: > https://kenai.com/jira/browse/KENAI-4151 > There you will find the debug output for NetBeans 7.0.1 > > Here is the shortened debug output for NetBeans 7.3: > > INFO [org.netbeans.modules.autoupdate.updateprovider.DownloadListener]: > Connection content length was 0 bytes (read 0bytes), expected file size can`t > be that size - likely server with file at > http://glotaran.kenai.com/uc/updates.xml is temporary down > INFO [org.netbeans.modules.autoupdate.ui.actions.AutoupdateCheckScheduler] > java.io.IOException: Zero sized file reported at > http://glotaran.kenai.com/uc/updates.xml > at > org.netbeans.modules.autoupdate.updateprovider.DownloadListener.doCopy(DownloadListener.java:155) > at > org.netbeans.modules.autoupdate.updateprovider.DownloadListener.streamOpened(DownloadListener.java:78) > at > org.netbeans.modules.autoupdate.updateprovider.NetworkAccess$Task$1.run(NetworkAccess.java:99) > Caused: java.io.IOException: Zero sized file reported at > http://glotaran.kenai.com/uc/updates.xml > at > org.netbeans.modules.autoupdate.updateprovider.DownloadListener.notifyException(DownloadListener.java:103) The page http://glotaran.kenai.com/uc/updates.xml just contains: ====== Glotaran 1.3 is available now! Please browse to <a href="http://glotaran.org/downloads">GloTarAn.org</a> to download. ====== The page is not redirected somewhere else. AU client will not parse/interpret the content. No plan to change this. It is redirected as described in http://en.wikipedia.org/wiki/HTTP_302: $ curl -i http://glotaran.kenai.com/uc/updates.xml HTTP/1.0 302 Found Location: https://glotaran.kenai.com/uc/updates.xml Server: BigIP Connection: Keep-Alive Content-Length: 0 Maybe you want to close as won't fix anyway but currently the reason is not correct. (In reply to comment #6) > It is redirected as described in http://en.wikipedia.org/wiki/HTTP_302: > > $ curl -i http://glotaran.kenai.com/uc/updates.xml > HTTP/1.0 302 Found > Location: https://glotaran.kenai.com/uc/updates.xml > Server: BigIP > Connection: Keep-Alive > Content-Length: 0 > > Maybe you want to close as won't fix anyway but currently the reason is not > correct. Cannot be fixed on NetBeans by reason that JDK doesn't support Http->Https redirection due to security reasons - see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571 for more details. (In reply to comment #7) > (In reply to comment #6) > > > > Maybe you want to close as won't fix anyway but currently the reason is not > > correct. > > Cannot be fixed on NetBeans by reason that JDK doesn't support Http->Https > redirection due to security reasons - see > http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571 for more details. First of all, I hope it's clear that the file located at http://glotaran.kenai.com/uc/updates.xml contains more than just a notification tag. It is a valid NetBeans platform auto update center configuration file, as demonstrated by the fact that when added to NetBeans (using the https prefix ofc) the plugins become available and when browsed to with any browser at my disposal the whole XML file is rendered. Moreover it's about 128 KB in size, too much for just a notification. Second, if I understand the comment from the link you provide correctly it is the responsibility of the application to implement a fix / workaround. I quote: "After discussion among Java Networking engineers, it is felt that we shouldn't automatically follow redirect from one protocol to another, for instance, from http to https and vise versa, doing so may have serious security consequences. Thus the fix is to return the server responses for redirect. Check response code and Location header field value for redirect information. It's the application's responsibility to follow the redirect." This comment is from 2002 though, perhaps the stance on this has changed since then? Reading the comments and related bug reports I do get the idea it is possible. In fact I can verify that a purely Java based browser such as lobo (http://sourceforge.net/projects/xamj/?source=dlp) has fixed this problem for itself. Now the last question is whether the application in which this bug would be best fixed is: the NetBeans Platform, the NetBeans IDE or the application built on top of the NetBeans Platform. In any case, as more and more web services are migrating from http to https I suspect that this issue will only become more relevant. *** Bug 230069 has been marked as a duplicate of this bug. *** Let's take another look at this, all java.net and kenai URLs are going to https so we need to be able to handle it. Tomas, please verify the tomorrow's build for possible regressions before backport to release73. Thanks Integrated into 'main-golden', will be available in build *201305230439* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress) Changeset: http://hg.netbeans.org/main-golden/rev/276aeafb4142 User: Jiri Rechtacek <jrechtacek@netbeans.org> Log: #209833: AU fails to follow redirects http->https verified (catalog refresh and download of plugin from UC) in Product Version: NetBeans IDE Dev (Build 201305230439) Java: 1.7.0_21; Java HotSpot(TM) 64-Bit Server VM 23.21-b01 Runtime: Java(TM) SE Runtime Environment 1.7.0_21-b12 System: Mac OS X version 10.8.3 running on x86_64; UTF-8; en_US (nb) User directory: /Users/tomas/Library/Application Support/NetBeans/dev Cache directory: /Users/tomas/Library/Caches/NetBeans/dev (In reply to comment #12) > Tomas, please verify the tomorrow's build for possible regressions before > backport to release73. Thanks Integrated into 'releases', will be available in build *201305272201* or newer. Wait for official and publicly available build. Changeset: http://hg.netbeans.org/releases/rev/350e8078ae5b User: Jiri Rechtacek <jrechtacek@netbeans.org> Log: #209833: AU fails to follow redirects http->https (transplanted from 276aeafb41422b05b83fb226de9647f7ae06b3bc) verified in Product Version: NetBeans IDE 7.3.1 (Build 201305272201) Java: 1.6.0_45; Java HotSpot(TM) 64-Bit Server VM 20.45-b01-451 Runtime: Java(TM) SE Runtime Environment 1.6.0_45-b06-451-11M4406 System: Mac OS X version 10.8.3 running on x86_64; MacRoman; en_US (nb) User directory: /Users/tomas/Library/Application Support/NetBeans/7.3.1 Cache directory: /Users/tomas/Library/Caches/NetBeans/7.3.1 ...but i guess we need to increase spec version (currently is 1.39.1) to make it available in patch 2?! Jirko, can you please increase version? (In reply to comment #18) > Jirko, can you please increase version? Sorry, I'll do that. (In reply to comment #19) > (In reply to comment #18) > > Jirko, can you please increase version? > > Sorry, I'll do that. http://hg.netbeans.org/releases/rev/3e7d4ffdc6e0 thanks, verified in 7.3.1, I'll verify in patch as well, once new catalog is built. Integrated into 'releases', will be available in build *201305282201* or newer. Wait for official and publicly available build. Changeset: http://hg.netbeans.org/releases/rev/3e7d4ffdc6e0 User: Jiri Rechtacek <jrechtacek@netbeans.org> Log: #209833: increased spec.version for 73patch2 *** Bug 227499 has been marked as a duplicate of this bug. *** verified in bits from staging UC. |