Dnia 1-09-2010 o godz. 0:26 Yoav Landman napisał(a):
This behavior is "by design". Let me explain -When anonymous access is disabled Artifactory always requires users to be authenticated. This is the meaning of the flag, which is checked whenever an unauthenticated request is seen.If an unauthenticated request arrives, the anonymous access flag is on and the resource exists but is not accessible by anonymous - Artifactory will correctly log the request as DENIED, but for security reasons it will not reveal the existence of the resource to the requestor and will send back a 404. This behavior matches the 404 description: "...This status code is commonly used when the server does not wish to reveal exactly why the request has been refused...".The result should be the same for a non-anonymous user that doesn't have privileges to get a resource (if not that's a bug).
Ok, I see some sense it that behavior - to protect knowledge about (non)existing artifacts in a repository.
Like Yossi suggested, it can be resolved on the Maven side by setting preemptive authentication. Maven does not authenticate preemptively when provided with user/password details unless configured to do so (for why and how to configure it, please see: http://maven.apache.org/guides/mini/guide-http-settings.html). The reasons seem to be rooted in mistrusting the user to correctly configure the client and the server - leaving behind unused authentication details or sending authenticated requests to servers that are not configured to secure the authentication details. Other tools (Ivy, curl, wget) will authenticate preemptively when provided with authentication info.
Preemptive authentication should be helpfull and I tried to set it up, but I wasn't able to force my Maven client to send credentials for the first time to given server. Following configuration doesn't work - in Artifactory log I see only one try to download file as anonymous user. Maven 2.2.1, Windows. Maybe you have some idea what could be wrong here?
<server>
<id>repo-id</id>
<username>user</username>
<password>pass</password>
<configuration>
<wagonProvider>httpclient</wagonProvider>
<httpConfiguration>
<put>
<params>
<param>
<name>http.authentication.preemptive</name>
<value>%b,true</value>
</param>
</params>
</put>
</httpConfiguration>
</configuration>
</server>
On the Artifactory side this can be resolved by a global policy of whether or not to reveal the existence of protected resources. For anonymous requests that will result in a 401. Anyway, please follow RTFACT-3479 to check on the progress.
Solution proposed by Yossi should resolved my problem completely. I'm impatiently waiting for a first nightly build with that feature to test it. Thanks guys for your commitment.
Best
Marcin
2010/8/31 Yossi Shaul <[email protected]>
I see what you mean. I think 403 Forbidden will be more appropriate in that
case because access to Artifactory is always authenticated (when anonymous
is enabled the authentication is implicit).
I can't remember if the 404 response is for historical reasons (old maven bug), so I opened
an issue (http://issues.jfrog.org/jira/browse/RTFACT-3479) and will look into it soon.
Back to your problem, your analysis explains why it fails:
You are implicitly logged in as anonymous to Artifactory. Anonymous doesn't have read access
to the requested file and Artifactory sends 404. When maven receives 404 it will never try to send
another request with credentials.
Responding with 401 Unauthorized (+the basic authentication header) will probably solve it,
but again, I'm not sure this is the best solution.
In the mean time you can configure maven to use preemptive authentication, which causes
it to send the credentials without being asked to.
Yossi
2010/8/31 Marcin Zajączkowski <[email protected]>
Dnia 31-08-2010 o godz. 9:22 Yossi Shaul napisał(a):
> Which version of maven you are using? If it's not the latest (2.2.1 or 3I'm using 2.2.1, but I have noticed one more thing. With disabled "allow
beta) please try with one of them.
> Otherwise send your pom and settings to [email protected] and we'll try
to figure out what's wrong.
anonymous access" artifactory return 401 Authorization Required in the
first try and then Maven ask again using credentials [1]. Without
anonymous access enabled Artifactory returns 404 Not Found (even if
artifact is in repository and only anonymous doesn't have access to it -
in access.log there is DOWNLOAD DENIED) and Maven doesn't try again,
what could be a reason.
Maybe Artifactory could return 401 for repository paths which requires
for user to be authenticated?
[1] - (with "allow anonymous access" disabled)
20100831113125|0|REQUEST|10.101.6.191|non_authenticated_user|GET|<<artifact>>|HTTP/1.1|401|0
20100831113127|1656|REQUEST|10.101.6.191|my_user|GET|<<artifact>>|HTTP/1.1|200|348
Marcin
--
Ad...
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by:
Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________ Artifactory-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/artifactory-users
