Bug 209833 - AU fails to follow redirects
AU fails to follow redirects
Status: VERIFIED FIXED
Product: platform
Classification: Unclassified
Component: Autoupdate
7.3
PC All
: P2 (vote)
: 7.3.1
Assigned To: Jiri Rechtacek
au-issues
73patch2-verified
:
: 227499 230069 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-21 09:00 UTC by _ rkubacki
Modified: 2013-05-30 07:33 UTC (History)
6 users (show)

See Also:
Issue Type: DEFECT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description _ rkubacki 2012-03-21 09:00:54 UTC

    
Comment 1 _ rkubacki 2012-03-21 09:04:53 UTC
NBAndroid project has its update center hosted on kenai.com using http://kenai.com/projects/nbandroid/downloads/download/updatecenter/org-netbeans-modules-android-xml.nbm URL. Recently there was a change in project hosting infrastructure that adds an HTTP redirect to this URL:

$ curl -i http://kenai.com/projects/nbandroid/downloads/download/updatecenter/updates.xml
HTTP/1.1 302 Moved Temporarily
Date: Wed, 21 Mar 2012 08:27:14 GMT
Cache-Control: no-cache, max-age=0
Location: http://kenai.com/downloads/nbandroid/updatecenter/updates.xml
X-Runtime: 0.12700
Content-Type: text/html;charset=utf-8
Content-Length: 127
Set-Cookie: _junction2_session=08f967c86d512fe85ae5eeb8ff41d0d5; domain=.kenai.com; path=/
Expires: Wed, 21 Mar 2012 08:27:14 GMT
Vary: Accept-Encoding

<html><body>You are being <a href="http://kenai.com/downloads/nbandroid/updatecenter/updates.xml">redirected</a>.</body></html>

Unfortunately NetBeans does not process 302 status. It does not even show any notification that this AUC is not reachable.

http://docs.oracle.com/javase/1.5.0/docs/api/java/net/HttpURLConnection.html#setFollowRedirects(boolean) should help.
Comment 2 Jiri Rechtacek 2012-03-28 09:12:49 UTC
We couldn't find a reproducible test-case => closed as WFM for now.
Comment 3 hardyheroin 2013-05-18 19:43:31 UTC
I ran into this bug as well

A test-case is easily defined, go to Tools - Plugin in any NetBeans Platform Application (including the IDE) (I tested 7.0.1 and 7.3 will all updates) and add the following auc URL to your repositories and reload catalog:
http://glotaran.kenai.com/uc/updates.xml

I have also described the issue in more detail here:
https://kenai.com/jira/browse/KENAI-4151
There you will find the debug output for NetBeans 7.0.1

Here is the shortened debug output for NetBeans 7.3:

INFO [org.netbeans.modules.autoupdate.updateprovider.DownloadListener]: Connection content length was 0 bytes (read 0bytes), expected file size can`t be that size - likely server with file at http://glotaran.kenai.com/uc/updates.xml is temporary down
INFO [org.netbeans.modules.autoupdate.ui.actions.AutoupdateCheckScheduler]
java.io.IOException: Zero sized file reported at http://glotaran.kenai.com/uc/updates.xml
	at org.netbeans.modules.autoupdate.updateprovider.DownloadListener.doCopy(DownloadListener.java:155)
	at org.netbeans.modules.autoupdate.updateprovider.DownloadListener.streamOpened(DownloadListener.java:78)
	at org.netbeans.modules.autoupdate.updateprovider.NetworkAccess$Task$1.run(NetworkAccess.java:99)
Caused: java.io.IOException: Zero sized file reported at http://glotaran.kenai.com/uc/updates.xml
	at org.netbeans.modules.autoupdate.updateprovider.DownloadListener.notifyException(DownloadListener.java:103)
Comment 4 _ rkubacki 2013-05-18 20:29:25 UTC
Just for the record: I've left kenai.com as hosting site. It is better to set up server somewhere else.
Comment 5 Jiri Rechtacek 2013-05-20 13:38:55 UTC
(In reply to comment #3)
> I ran into this bug as well
> 
> A test-case is easily defined, go to Tools - Plugin in any NetBeans Platform
> Application (including the IDE) (I tested 7.0.1 and 7.3 will all updates) and
> add the following auc URL to your repositories and reload catalog:
> http://glotaran.kenai.com/uc/updates.xml
> 
> I have also described the issue in more detail here:
> https://kenai.com/jira/browse/KENAI-4151
> There you will find the debug output for NetBeans 7.0.1
> 
> Here is the shortened debug output for NetBeans 7.3:
> 
> INFO [org.netbeans.modules.autoupdate.updateprovider.DownloadListener]:
> Connection content length was 0 bytes (read 0bytes), expected file size can`t
> be that size - likely server with file at
> http://glotaran.kenai.com/uc/updates.xml is temporary down
> INFO [org.netbeans.modules.autoupdate.ui.actions.AutoupdateCheckScheduler]
> java.io.IOException: Zero sized file reported at
> http://glotaran.kenai.com/uc/updates.xml
>     at
> org.netbeans.modules.autoupdate.updateprovider.DownloadListener.doCopy(DownloadListener.java:155)
>     at
> org.netbeans.modules.autoupdate.updateprovider.DownloadListener.streamOpened(DownloadListener.java:78)
>     at
> org.netbeans.modules.autoupdate.updateprovider.NetworkAccess$Task$1.run(NetworkAccess.java:99)
> Caused: java.io.IOException: Zero sized file reported at
> http://glotaran.kenai.com/uc/updates.xml
>     at
> org.netbeans.modules.autoupdate.updateprovider.DownloadListener.notifyException(DownloadListener.java:103)

The page http://glotaran.kenai.com/uc/updates.xml just contains:
======
Glotaran 1.3 is available now! Please browse to <a href="http://glotaran.org/downloads">GloTarAn.org</a> to download.
======
The page is not redirected somewhere else. AU client will not parse/interpret the content. No plan to change this.
Comment 6 _ rkubacki 2013-05-20 13:46:20 UTC
It is redirected as described in http://en.wikipedia.org/wiki/HTTP_302:

$ curl -i http://glotaran.kenai.com/uc/updates.xml
HTTP/1.0 302 Found
Location: https://glotaran.kenai.com/uc/updates.xml
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

Maybe you want to close as won't fix anyway but currently the reason is not correct.
Comment 7 Jiri Rechtacek 2013-05-20 15:00:54 UTC
(In reply to comment #6)
> It is redirected as described in http://en.wikipedia.org/wiki/HTTP_302:
> 
> $ curl -i http://glotaran.kenai.com/uc/updates.xml
> HTTP/1.0 302 Found
> Location: https://glotaran.kenai.com/uc/updates.xml
> Server: BigIP
> Connection: Keep-Alive
> Content-Length: 0
> 
> Maybe you want to close as won't fix anyway but currently the reason is not
> correct.

Cannot be fixed on NetBeans by reason that JDK doesn't support Http->Https redirection due to security reasons - see http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571 for more details.
Comment 8 hardyheroin 2013-05-21 12:31:27 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > 
> > Maybe you want to close as won't fix anyway but currently the reason is not
> > correct.
> 
> Cannot be fixed on NetBeans by reason that JDK doesn't support Http->Https
> redirection due to security reasons - see
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4620571 for more details.

First of all, I hope it's clear that the file located at http://glotaran.kenai.com/uc/updates.xml contains more than just a notification tag. It is a valid NetBeans platform auto update center configuration file, as demonstrated by the fact that when added to NetBeans (using the https prefix ofc) the plugins become available and when browsed to with any browser at my disposal the whole XML file is rendered. Moreover it's about 128 KB in size, too much for just a notification.

Second, if I understand the comment from the link you provide correctly it is the responsibility of the application to implement a fix / workaround.
I quote: "After discussion among Java Networking engineers, it is felt that we shouldn't automatically follow redirect from one protocol to another, for instance, from http to https and vise versa, doing so may have serious security consequences. Thus the fix is to return the server responses for redirect. Check response code and Location header field value for redirect information. It's the application's responsibility to follow the redirect."
This comment is from 2002 though, perhaps the stance on this has changed since then?

Reading the comments and related bug reports I do get the idea it is possible. In fact I can verify that a purely Java based browser such as lobo (http://sourceforge.net/projects/xamj/?source=dlp) has fixed this problem for itself.

Now the last question is whether the application in which this bug would be best fixed is: the NetBeans Platform, the NetBeans IDE  or the application built on top of the NetBeans Platform. 
In any case, as more and more web services are migrating from http to https I suspect that this issue will only become more relevant.
Comment 9 John Jullion-ceccarelli 2013-05-21 21:25:47 UTC
*** Bug 230069 has been marked as a duplicate of this bug. ***
Comment 10 John Jullion-ceccarelli 2013-05-21 22:24:24 UTC
Let's take another look at this, all java.net and kenai URLs are going to https so we need to be able to handle it.
Comment 11 Jiri Rechtacek 2013-05-22 12:39:46 UTC
http://hg.netbeans.org/core-main/rev/276aeafb4142
Comment 12 Jiri Rechtacek 2013-05-22 15:15:05 UTC
Tomas, please verify the tomorrow's build for possible regressions before backport to release73. Thanks
Comment 13 Quality Engineering 2013-05-23 08:17:08 UTC
Integrated into 'main-golden', will be available in build *201305230439* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/276aeafb4142
User: Jiri Rechtacek <jrechtacek@netbeans.org>
Log: #209833: AU fails to follow redirects http->https
Comment 14 Tomas Danek 2013-05-23 13:28:40 UTC
verified (catalog refresh and download of plugin from UC) in

Product Version: NetBeans IDE Dev (Build 201305230439)
Java: 1.7.0_21; Java HotSpot(TM) 64-Bit Server VM 23.21-b01
Runtime: Java(TM) SE Runtime Environment 1.7.0_21-b12
System: Mac OS X version 10.8.3 running on x86_64; UTF-8; en_US (nb)
User directory: /Users/tomas/Library/Application Support/NetBeans/dev
Cache directory: /Users/tomas/Library/Caches/NetBeans/dev


(In reply to comment #12)
> Tomas, please verify the tomorrow's build for possible regressions before
> backport to release73. Thanks
Comment 15 Jiri Rechtacek 2013-05-27 13:49:16 UTC
http://hg.netbeans.org/releases/rev/350e8078ae5b
Comment 16 Quality Engineering 2013-05-27 23:33:39 UTC
Integrated into 'releases', will be available in build *201305272201* or newer. Wait for official and publicly available build.
Changeset: http://hg.netbeans.org/releases/rev/350e8078ae5b
User: Jiri Rechtacek <jrechtacek@netbeans.org>
Log: #209833: AU fails to follow redirects http->https
(transplanted from 276aeafb41422b05b83fb226de9647f7ae06b3bc)
Comment 17 Tomas Danek 2013-05-28 08:04:58 UTC
verified in Product Version: NetBeans IDE 7.3.1 (Build 201305272201)
Java: 1.6.0_45; Java HotSpot(TM) 64-Bit Server VM 20.45-b01-451
Runtime: Java(TM) SE Runtime Environment 1.6.0_45-b06-451-11M4406
System: Mac OS X version 10.8.3 running on x86_64; MacRoman; en_US (nb)
User directory: /Users/tomas/Library/Application Support/NetBeans/7.3.1
Cache directory: /Users/tomas/Library/Caches/NetBeans/7.3.1

...but i guess we need to increase spec version (currently is 1.39.1) to make it available in patch 2?!
Comment 18 Tomas Danek 2013-05-28 08:15:19 UTC
Jirko, can you please increase version?
Comment 19 Jiri Rechtacek 2013-05-28 08:25:30 UTC
(In reply to comment #18)
> Jirko, can you please increase version?

Sorry, I'll do that.
Comment 20 Jiri Rechtacek 2013-05-28 09:48:37 UTC
(In reply to comment #19)
> (In reply to comment #18)
> > Jirko, can you please increase version?
> 
> Sorry, I'll do that.

http://hg.netbeans.org/releases/rev/3e7d4ffdc6e0
Comment 21 Tomas Danek 2013-05-28 10:05:54 UTC
thanks, verified in 7.3.1, I'll verify in patch as well, once new catalog is built.
Comment 22 Quality Engineering 2013-05-29 00:14:21 UTC
Integrated into 'releases', will be available in build *201305282201* or newer. Wait for official and publicly available build.
Changeset: http://hg.netbeans.org/releases/rev/3e7d4ffdc6e0
User: Jiri Rechtacek <jrechtacek@netbeans.org>
Log: #209833: increased spec.version for 73patch2
Comment 23 Jiri Rechtacek 2013-05-29 15:37:10 UTC
*** Bug 227499 has been marked as a duplicate of this bug. ***
Comment 24 Tomas Danek 2013-05-30 07:33:15 UTC
verified in bits from staging UC.


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2014, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo