#6067 - Upgrade to RDF4J 6.x

- Strip URL-embedded credentials before reaching Apache HttpClient 5 (used by RDF4J 6, which rejects URIs with a userinfo component)
- Sanitize incoming SPARQL URLs in getRemoteConfig(url) — userinfo is stripped at config-creation time and a warning is logged
- Add eager startup migration: walk every REMOTE KB at onContextRefreshed, split any embedded user:pass into a clean URL plus BasicAuthenticationTraits (only when the KB has no explicit auth traits yet), persist via updateKnowledgeBase
- Factor out splitUrlUserInfo helper and refactor applyBasicHttpAuthenticationConfigurationFromUrl to share it as a runtime safety net
- buildSparqlRepository test helper splits userinfo and applies credentials via setUsernameAndPassword so existing test fixtures keep passing URLs with embedded credentials

Author: reckart

inception/inception-kb/src/main/java/de/tudarmstadt/ukp/inception/kb/KnowledgeBaseServiceImpl.java

@@ -18,6 +18,7 @@
 package de.tudarmstadt.ukp.inception.kb;
 
 import static de.tudarmstadt.ukp.inception.kb.RepositoryType.LOCAL;
+import static de.tudarmstadt.ukp.inception.kb.RepositoryType.REMOTE;
 import static de.tudarmstadt.ukp.inception.kb.http.PerThreadSslCheckingHttpClientUtils.restoreSslVerification;
 import static de.tudarmstadt.ukp.inception.kb.http.PerThreadSslCheckingHttpClientUtils.skipCertificateChecks;
 import static de.tudarmstadt.ukp.inception.kb.querybuilder.SPARQLQueryBuilder.DEFAULT_LIMIT;
@@ -273,6 +274,9 @@ void onContextRefreshed()
             if (LOCAL == kb.getType()) {
                 reconfigureLocalKnowledgeBase(kb);
             }
+            else if (REMOTE == kb.getType()) {
+                migrateUrlEmbeddedCredentials(kb);
+            }
         }
 
         if (!orphanedIDs.isEmpty()) {
@@ -700,7 +704,14 @@ public RepositoryImplConfig getNativeConfig()
     @Override
     public RepositoryImplConfig getRemoteConfig(String url)
     {
-        return new SPARQLRepositoryConfig(url);
+        var split = splitUrlUserInfo(url);
+        if (split.userInfo() != null) {
+            LOG.warn(
+                    "URL [{}] contains embedded credentials. Stripping them - configure "
+                            + "authentication via the KB auth-traits UI instead.",
+                    split.cleanUrl());
+        }
+        return new SPARQLRepositoryConfig(split.cleanUrl());
     }
 
     @Override
@@ -833,25 +844,100 @@ private void addAdditionalHeaders(SPARQLRepository aSparqlRepo, Map<String, Stri
     private void applyBasicHttpAuthenticationConfigurationFromUrl(
             SPARQLRepositoryConfig sparqlRepoConfig, SPARQLRepository sparqlRepo)
     {
-        var uri = URI.create(sparqlRepoConfig.getQueryEndpointUrl());
-        var userInfo = uri.getUserInfo();
-        if (isNotBlank(userInfo)) {
-            userInfo = userInfo.trim();
-            String username;
-            String password;
-            if (userInfo.contains(":")) {
-                username = substringBefore(userInfo, ":");
-                password = substringAfter(userInfo, ":");
+        var split = splitUrlUserInfo(sparqlRepoConfig.getQueryEndpointUrl());
+        if (split.user() != null) {
+            sparqlRepo.setUsernameAndPassword(split.user(), split.password());
+        }
+    }
+
+    /**
+     * Migrates URL-embedded credentials ({@code http://user:pass@host/...}) on a REMOTE KB into
+     * {@link BasicAuthenticationTraits} and a cleaned URL. Apache HttpClient 5 (used by RDF4J 6)
+     * rejects URIs with a userinfo component outright, so legacy configs that worked under RDF4J 5
+     * must be normalized before the next connection attempt. Invoked once per KB at startup.
+     */
+    private void migrateUrlEmbeddedCredentials(KnowledgeBase aKB)
+    {
+        try {
+            var cfg = getKnowledgeBaseConfig(aKB);
+            if (!(cfg instanceof SPARQLRepositoryConfig sparqlCfg)) {
+                return;
+            }
+
+            var queryUrl = sparqlCfg.getQueryEndpointUrl();
+            var updateUrl = sparqlCfg.getUpdateEndpointUrl();
+            var querySplit = splitUrlUserInfo(queryUrl);
+            var updateSplit = splitUrlUserInfo(updateUrl);
+
+            if (querySplit.userInfo() == null && updateSplit.userInfo() == null) {
+                return;
+            }
+
+            var newCfg = updateUrl == null //
+                    ? new SPARQLRepositoryConfig(querySplit.cleanUrl()) //
+                    : new SPARQLRepositoryConfig(querySplit.cleanUrl(), updateSplit.cleanUrl());
+
+            // Prefer the query URL's credentials; fall back to the update URL's.
+            var credSource = querySplit.user() != null ? querySplit : updateSplit;
+
+            var traits = isNotBlank(aKB.getTraits()) ? readTraits(aKB) : null;
+            if (traits == null) {
+                traits = new RemoteRepositoryTraits();
+            }
+            var hadAuth = traits.getAuthentication() != null;
+            if (!hadAuth && credSource.user() != null) {
+                var basic = new BasicAuthenticationTraits();
+                basic.setUsername(credSource.user());
+                basic.setPassword(credSource.password());
+                traits.setAuthentication(basic);
+                aKB.setTraits(JSONUtil.toJsonString(traits));
+            }
+
+            updateKnowledgeBase(aKB, newCfg);
+
+            if (hadAuth) {
+                LOG.info(
+                        "Migrated KB [{}]: stripped URL-embedded credentials "
+                                + "(KB already had explicit auth traits configured).",
+                        aKB.getName());
             }
             else {
-                username = userInfo;
-                password = "";
+                LOG.info("Migrated KB [{}]: moved URL-embedded credentials into "
+                        + "basic-auth traits.", aKB.getName());
             }
+        }
+        catch (Exception e) {
+            LOG.error(
+                    "Unable to migrate URL-embedded credentials for KB [{}]. "
+                            + "Remote connections may fail until the URL is corrected manually.",
+                    aKB.getName(), e);
+        }
+    }
 
-            sparqlRepo.setUsernameAndPassword(username, password);
+    /**
+     * Parses a URL, returning the userinfo (or {@code null}) and the URL with the userinfo
+     * stripped. Returns {@code (cleanUrl=null, user=null, password=null, userInfo=null)} for a
+     * {@code null} input URL.
+     */
+    private static UrlUserInfo splitUrlUserInfo(String aUrl)
+    {
+        if (aUrl == null) {
+            return new UrlUserInfo(null, null, null, null);
         }
+        var uri = URI.create(aUrl);
+        var userInfo = uri.getUserInfo();
+        if (!isNotBlank(userInfo)) {
+            return new UrlUserInfo(aUrl, null, null, null);
+        }
+        userInfo = userInfo.trim();
+        var user = userInfo.contains(":") ? substringBefore(userInfo, ":") : userInfo;
+        var password = userInfo.contains(":") ? substringAfter(userInfo, ":") : "";
+        var cleanUrl = aUrl.replace(uri.getRawUserInfo() + "@", "");
+        return new UrlUserInfo(cleanUrl, user, password, userInfo);
     }
 
+    private record UrlUserInfo(String cleanUrl, String user, String password, String userInfo) {}
+
     @SuppressWarnings("resource")
     @Override
     public void importData(KnowledgeBase kb, String aFilename, InputStream aIS)

inception/inception-kb/src/test/java/de/tudarmstadt/ukp/inception/kb/querybuilder/SPARQLQueryBuilderLocalTestScenarios.java

@@ -38,6 +38,7 @@
 import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Method;
+import java.net.URI;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -367,7 +368,9 @@ public Scenario(String aName,
 
     static Repository buildSparqlRepository(String aUrl)
     {
-        var repo = new SPARQLRepository(aUrl);
+        var creds = extractCredentials(aUrl);
+        var repo = new SPARQLRepository(creds.urlWithoutUserInfo());
+        applyCredentials(repo, creds);
         repo.setHttpClient(newPerThreadSslCheckingHttpClient());
         repo.setAdditionalHttpHeaders(Map.of("User-Agent", "INCEpTION/0.0.1-SNAPSHOT"));
         repo.init();
@@ -376,13 +379,42 @@ static Repository buildSparqlRepository(String aUrl)
 
     static Repository buildSparqlRepository(String aQueryUrl, String aUpdateUrl)
     {
-        var repo = new SPARQLRepository(aQueryUrl, aUpdateUrl);
+        var queryCreds = extractCredentials(aQueryUrl);
+        var updateCreds = extractCredentials(aUpdateUrl);
+        var repo = new SPARQLRepository(queryCreds.urlWithoutUserInfo(),
+                updateCreds.urlWithoutUserInfo());
+        applyCredentials(repo, queryCreds);
         repo.setHttpClient(newPerThreadSslCheckingHttpClient());
         repo.setAdditionalHttpHeaders(Map.of("User-Agent", "INCEpTION/0.0.1-SNAPSHOT"));
         repo.init();
         return repo;
     }
 
+    private record UrlCredentials(String urlWithoutUserInfo, String user, String password) {}
+
+    // Apache HttpClient 5 (used by RDF4J 6's default HTTP client) rejects URIs with a userinfo
+    // component. Split user:pass@ out of the URL and pass it via setUsernameAndPassword instead.
+    private static UrlCredentials extractCredentials(String aUrl)
+    {
+        var uri = URI.create(aUrl);
+        var userInfo = uri.getRawUserInfo();
+        if (userInfo == null) {
+            return new UrlCredentials(aUrl, null, null);
+        }
+        var sep = userInfo.indexOf(':');
+        var user = sep < 0 ? userInfo : userInfo.substring(0, sep);
+        var password = sep < 0 ? "" : userInfo.substring(sep + 1);
+        var stripped = aUrl.replace(userInfo + "@", "");
+        return new UrlCredentials(stripped, user, password);
+    }
+
+    private static void applyCredentials(SPARQLRepository aRepo, UrlCredentials aCreds)
+    {
+        if (aCreds.user() != null) {
+            aRepo.setUsernameAndPassword(aCreds.user(), aCreds.password());
+        }
+    }
+
     /**
      * Checks that {@code SPARQLQueryBuilder#exists(RepositoryConnection, boolean)} can return
      * {@code true} by querying for a list of all classes in {@link #DATA_CLASS_RDFS_HIERARCHY}