-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After upgrading to 1.31.0, library returns 403 while curl succeeds #795
Comments
1.27.0 succeeds with 200 from the same sample code. (Note the v1 import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.apache.ApacheHttpTransport;
import java.io.IOException;
public class Main {
public static void main(String[] args) throws IOException {
GenericUrl url =
new GenericUrl(
"https://mcr.microsoft.com/v2/dotnet/core/aspnet/blobs/sha256:bbfbcd8743705b4d4d398c18abb8fa52b3204239d80ea089d0c3f3c53d5818dd");
new ApacheHttpTransport().createRequestFactory().buildGetRequest(url).execute();
}
} Log:
|
I suspect that 1.31.0 fails to capture and send the correct temporary redirect URL from the 307 response. The server is probably working correctly by returning the "time-limited URL validation failure" for non-existing or incorrect URLs. |
Using the legacy apache client also fails at 1.31.0 so I looked into other things that changed. Interestingly, downgrading |
I narrowed it down to |
Looks like it broke here: apache/httpcomponents-client@8c04c6a There are additional reports on that commit that it's breaking other URL signing. |
Thanks for looking into it. Then what should the resolution be? According to the thread in that commit, seems like it's possible to disable the URI normalization (at least it is reported possible in 4.5.8.) Should google-http-java-client do it? Or, can we handle the breaking change from new URI normalization probably at the google-http-java-client level and make things work? Or, is it that |
It looks like we need set the config here and/or provide a way to configure the request options builder at client configuration time. |
As a workaround, until we get this patched and released, you can force downgrade the |
Do you think it is safe and compatible to force downgrading only the transitive dependency |
Yes, we weren't relying on anything added in higher versions, just trying to keep up to date dependencies. |
After reading through that thread, I think the answer is that "microsoft.com should ideally be fixed to handle normalized URIs properly". I'm not 100% sure of that, but it seems the most likely answer.
|
|
We upgraded from 1.27.0 to 1.31.0 with the new "v2" apache (
google-http-client-apache-v2
), and we are starting to see this problem.Environment details
Steps to reproduce
Send GET to
https://mcr.microsoft.com/v2/dotnet/core/aspnet/blobs/sha256:bbfbcd8743705b4d4d398c18abb8fa52b3204239d80ea089d0c3f3c53d5818dd
. See the example code below.Code example
Stack trace
Both of the curl commands in the log below succeed on the command line. It is only the library that is failing. And the old 1.27.0 library used to work, returning 200.
Note the second curl command attempts a temporary redirect URL after getting the 307 response from the first GET, so eventually the second URL in the log will expire and stop working. To reproduce on your side, make sure to re-run the sample code to get a fresh temporary redirect URL.
The text was updated successfully, but these errors were encountered: