Spring Roo
  1. Spring Roo
  2. ROO-3127

Roo obr addon start does not honor repository redirect requests (302 MOVED)

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Blocker Blocker
    • Resolution: Unresolved
    • Affects Version/s: 1.2.1.RELEASE, 1.2.2.RELEASE
    • Fix Version/s: None
    • Component/s: @ ROO SHELL
    • Labels:
    • Environment:
      Mac OS X Lion JDK 6

      Description

      I've been working with a CloudBees git repository, and a CloudBees Maven repository for a FOSS project.

      The Maven repo is hosted with https

      The Roo add-on is being installed properly to the repo (as far as we know) and works when installed with osgi start.

      The problem comes in with the bundleUrl option of the maven-bundle-plugin. It references the new Roo httppgp:// prefix. The problem is in the code for HttpPgpUrlStreamHandlerServiceImpl. The entire openConnection() method assumes that the resources are going to be on a http path, and if the server sends a 302 MOVED to a https path, the process throws an exception (because, for example, when fetching the ascii version of the pgp key, it actually gets a HTTP 302 MOVED document. This is invalid, and we get the exception listed in the thread I've linked to.

      This is critical to fix if you are planning on supporting OBR with any https-based Maven repositories. I'm not sure that Nexus or Google Code requires https, which is probably why this has worked so far. But CloudBees redirects everyone to https.

      Here is the offending code from HttpPgpUrlStreamHandlerServiceImpl. It looks like it changed to use the Commons Lang Validate methods in Roo 1.3.0, but still uses openConnection() and doesn't check the headers. I think it's possible to use commons httpclient to do this for you...

      [CODE]
      @Override
      public URLConnection openConnection(final URL u) throws IOException {
      // Convert httppgp:// URL into a standard http:// URL
      final URL resourceUrl = new URL(u.toExternalForm().replace("httppgp",
      "http"));
      // Add .asc to the end of the standard resource URL
      final URL ascUrl = new URL(resourceUrl.toExternalForm() + ".asc");

      // Start with the ASC file, as if this is for an untrusted key, there's
      // no point download the larger resource
      final File ascUrlFile = File.createTempFile("roo_asc", null);
      ascUrlFile.deleteOnExit();

      InputStream inputStream = null;
      FileOutputStream outputStream = null;
      try

      { outputStream = new FileOutputStream(ascUrlFile); inputStream = urlInputStreamService.openConnection(ascUrl); IOUtils.copy(inputStream, outputStream); }

      catch (final IOException ioe)

      { // This is not considered fatal; it is likely the ASC isn't // available, so we will continue ascUrlFile.delete(); }

      finally

      { IOUtils.closeQuietly(inputStream); IOUtils.closeQuietly(outputStream); }

      // Abort if a signature wasn't downloaded (this is a httppgp:// URL
      // after all, so it should be available)
      Validate.isTrue(
      ascUrlFile.exists(),
      "Signature verification file is not available at '"
      + ascUrl.toExternalForm() + "'; continuing");
      ...
      [/CODE]

        Activity

        Hide
        Alan Stewart added a comment -

        Changing to an improvement for when we support https-based Maven repositories

        Show
        Alan Stewart added a comment - Changing to an improvement for when we support https-based Maven repositories

          People

          • Assignee:
            Unassigned
            Reporter:
            Ken Rimple
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: