Useless HTTP Requests with multiple ConfigurationResource

Our Identity Providers download the file attribute-filter.xml from a remote web server using the following configuration:

-----------------------8<----------------------------- <srv:Service id="shibboleth.AttributeFilterEngine"
xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine"
configurationResourcePollingFrequency="PT1H"
configurationResourcePollingRetryAttempts="128">

<!-- RR-provided filters -->
<srv:ConfigurationResource xsi:type="resource:FileBackedHttpResource"
url="https://example.ch/switchaai/switch.ch/attribute-filter.xml"
file="/opt/shibboleth-idp/conf/attribute-filter.xml"/>

<!-- Locally managed attribute filters -->
<srv:ConfigurationResource xsi:type="resource:FilesystemResource"
file="/opt/shibboleth-idp/conf/local-attribute-filter.xml"/>

</srv:Service>
-----------------------8<-----------------------------
This configuration should make the IdP download the attribute-filter.xml from the remote host every hour (PT1H).

When querying the URL https://example.ch/switchaai/switch.ch/attribute-filter.xml the client gets a response like:

-----------------------8<----------------------------- HTTP/1.1 200 OK
Date: Wed, 27 Aug 2014 08:13:17 GMT
Server: Apache
X-Powered-By: PHP/5.4.4-14+deb7u11
Content-Disposition: inline; filename="attribute-filter.xml"
Last-Modified: Wed, 27 Aug 2014 08:13:18 GMT
Etag: 9d2317fbb798412d03ae2f647014a870
Transfer-Encoding: chunked
Content-Type: text/xml
-----------------------8<-----------------------------
So, the server implements Etags and the last Last-Modified header.

However, what we see in our logs is this:

130.59.10.101 - - [25/Aug/2014:01:24:49 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:01:24:50 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:02:24:49 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:02:24:50 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:02:24:51 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:02:24:51 +0200] "GET /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 706116
130.59.10.101 - - [25/Aug/2014:02:25:26 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:03:24:49 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:03:24:50 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:04:24:49 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -
130.59.10.101 - - [25/Aug/2014:04:24:50 +0200] "HEAD /switchaai/switch.ch/attribute-filter.xml HTTP/1.1" 200 -

What is strange is that there are two HTTP HEAD requests about every hour. This does not make much sense to me because one HEAD request should be sufficient to find out if the file changed. Even at 2:24 if a change is detected, there is another (useless) HEAD request before the actual GET request to download the new file.

I noticed that this is the case at least since IdP 2.1.1. It seems that this behaviour is related to the fact that there are two ConfigurationResources defined. For IdPs that only download the attribute-filter.xml remotely but do not have a local file configured, this is not the case.

Could this be a bug or did I oversee a detail that would explain this behaviour?

PS: In Jira 2.4.1 is still in the category "Unreleased versions" 🙂