Description of problem: Availability checks for Apache using the standard Java URL class when hitting redirects, were actually attempting to connect to remote sites when receiving a 300-series error. For when Apache is deployed in a datacenter, this can mean the check is actually hitting a web server outside of the datacenter which can fail, usually in the form of a timeout. Version-Release number of selected component (if applicable): 4.9 How reproducible: Always, in some cases. Steps to Reproduce: 1. Have Apache redirect / to a URL that times out (is host inaccessible, behind a firewall, etc.) 2. Observe 302 in the Apache request error log and timeouts in RHQ Additional info: commit 816e77ed7344c37a4c3ec42023f37cada62b1345 Author: Elias Ross <elias_ross> Date: Fri Sep 20 13:54:29 2013 -0700 BZ - fix issue with following redirects diff --git a/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java b/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java index 206db58..d84c1a2 100644 --- a/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java +++ b/modules/plugins/apache/src/main/java/org/rhq/plugins/www/util/WWWUtils.java @@ -102,6 +102,7 @@ public static AvailabilityResult checkAvailability(URL httpURL, int timeout) { HttpURLConnection connection; try { connection = (HttpURLConnection) httpURL.openConnection(); + connection.setInstanceFollowRedirects(false); } catch (IOException e) { String errorMessage = "Failed to open URLConnection for [" + httpURL + "]."; LOG.error(errorMessage, e); Probably should be applied as well to GET attempts.
It might make more sense to turn off redirects completely in the plugin container. I can't think of too many cases where this is the desired behavior, and may be a security issue besides.
Elias, thank you for contribution. What exactly do you mean by turning it off completely in plugin container? I'd open up a new BZ for it, because there might be a big impact. In master commit fd35779a4925d0eee70620bcc7cb47b77de4efc0 Author: Elias Ross <elias_ross> Date: Thu Feb 20 14:34:46 2014 +0100 [BZ 1010485] Apache plugin's WWWUtil should not follow HTTP redirects
I meant at the class level you can set allow redirects: http://docs.oracle.com/javase/7/docs/api/java/net/HttpURLConnection.html#setFollowRedirects(boolean) What could happen is initially a URL is being tested (perhaps with login credentials), and if the service is replaced (possibly by a hacker), the request could be redirected offsite. This seems like a bad idea. This could happen in a third-party plugin as well. I'm just saying it is behavior that might be undesirable by default.
Bulk closing of 4.10 issues. If an issue is not solved for you, please open a new BZ (or clone the existing one) with a version designator of 4.10.