The issue is due to checkValidAndSetUrl method introduced in IGBF-3103 where we looked to see if the http url was being redirected to https. This required connecting to the server to see if there was a redirect, but when the server is secure it appears to be initiating the IGB authentication, but it does not appear to save the password correctly. This is why the password is asked for again when loading the data.

There's a call to DataProviderManager.java getServerFromUrlStatic that is behaving oddly. It is being called when AddDataProvider.java checkValidAndSetUrl calls conn.getResponseCode() which then calls IGBAuthenticator.java getPasswordAuthentication which then calls DataProviderManager.java getServerFromUrlStatic. The getServerFromUrlStatic returns a DataProvider object, but it is unclear why we are checking if the data provider already exists, which because the secure site has not been added yet, it does not.

Several things to consider.

When we make the call to checkValidAndSetUrl the conn.getResponseCode() will trigger the Authenticator if the Quickload is a secure site. Authenticator is extended by IGBAuthenticator.java and makes a call to getServerFromUrlStatic in DataProviderManager.java. The getServerFromUrlStatic attempts to find the data provider based on the url. However, we haven't added the data provider as of the time when checkValidAndSetUrl has been called. This causes IGB to select a quickload at random and saves the password info to that quickload.

One of the potential workarounds is to add the data provider first, and then make a recursive call with the isEditPanel set to true. This in theory works, as the edit panel logic can then follow the redirect and modify the data provider, but it requires the recursive call be wrapped in a Timer as we run into a concurrency issue where the data provider is not added before the call to checkValidAndSetUrl is called, which then locks IGB. However, this solution fails when the user incorrectly enters the password to the secure quickload as IGBAuthenticator brings up the password panel while checkValidAndSetUrl again locking IGB. The best solution may be to lock everything until the user has entered the password correctly or cancelled out of the password panel, which may require changes to IGBAuthenticator.java in addition to DataProviderManager.java.

An additional option would be to modify checkValidAndSetUrl so that it does not attempt to connect to secure quickloads, and instead assumes that they do not redirect. While not the best solution, it would be a very minor edge case. However, I cannot find a way to determine if a URL is secure using HttpURLConnection. Any call trips the Authenticator and then begins the problems.

An additional option would be to revert the changes to redirect Quickloads until we have updated to Java 11 or greater. Java 11 introduced HttpClient which may help us to determine if the URL requires authentication without connecting, but I am not sure. There are also additional libraries that could be imported such as Apache HttpClient.

Finally, I'm not sure why IGB does not follow redirects by default. According to this post, HttpUrlConnection should follow redirects by default. Is it possible we can force IGB to follow redirects without using checkValidAndSetUrl?

I would like to work on this with Karthik on Tuesday. If we can't figure out a working solution, I would suggest reverting the redirect commits as I would like to prioritize the release.

PR submitted. https://bitbucket.org/lorainelab/integrated-genome-browser/pull-requests/919/igbf-3196-revert-redirect-code-when-data

Would you please take a look at the above PR? It looks like there are four commits - three "merge" commits and the one reversion commit.

It would be brilliant if we could modify this so that the "merge" commits are not there.

attn: Nowlan Freese and Karthik Raveendran

I am working on the above now. My apologies for the delay - I think I can take care of it quickly.

Attn Nowlan Freese and Karthik Raveendran:

I cherry-picked Karthiks reversion commit and stuck it on a new branch aloraine-IGBF-3196, minus the merge commits.

The installers are built and are ready for download at https://bitbucket.org/aloraine/integrated-genome-browser/downloads/.

Would you take a look and let me know if this will work OK?

If yes, I would like to make a PR from aloraine-IGBF-3196 instead of the currently open PR so as to avoid the extraneous merge commits.

[~aloraine] - It looks good to me, I think it should be good to go ahead and merge to master.

At this time we are unable to modify the code such that both redirects and secure Quickloads work correctly. Additional refactoring will need to be done. See the comments above. Most likely we will need to refactor AddDataProvider.java.

OK thanks!

Made PR and am merging it now.

Master branch installers are built. Notarizing the Mac installer now.

Notarized installer master.dmg is uploaded to https://bitbucket.org/lorainelab/integrated-genome-browser/downloads/. Ready for testing.