[gradle-dev] Fix for GRADLE-2191: Http Digest Authentication

Wed, 27 Jun 2012 13:09:41 -0700 

G'day

I've pushed a fix for GRADLE-2191, that I think is a reasonable compromise.
The issue at heart was that we were aggressively (and incorrectly) using
pre-emptive HTTP Basic Auth for all repositories that had credentials
declared. This broke Digest authentication for those repositories.

Removing pre-emptive authentication altogether worked, but meant that when
publishing to an authenticated repository we would send the jar content
twice; once to get the 'auth-required' response, and then once again with
the correct credentials.

I tried a couple of things:
1) Write .sha1 files first (small files): this caused issues with
Artifactory, which requires the artifact to be posted before the checksum
2) Using an asynchronous Http Client to catch the Auth-required response
early, before sending the entire content: Apache AsyncHttpClient is still
beta, and this would require significant rework to our code.
3) Don't use pre-emptive authentication for GET/HEAD requests, since these
are inherently small requests.
4) Doing a GET to prime authentication before a PUT doesn't work for many
repository that allow public-read, authenticated-write.

In the end I opted for 3) plus a simple solution borrowed from the Gradle
Artifactory plugin: send pre-emptive Basic Auth for all requests but handle
Digest Auth properly when it is requested. This required an upgrade to
HttpClient 4.2, and means:
* No GET/HEAD requests contain pre-emptive authentication headers
* Initial PUT/POST requests will contain  Basic Auth headers.
    * If the server requires Basic Auth, then this request will succeed
    * If the server requires Digest Auth, then this request will fail with
a 401, and we will resend the request with Digest Auth headers
* After the initial request, subsequent requests to the repository will
have correct Auth headers

I think this fix is sufficient for now. In the future we may want to look
again at Apache HttpAsyncClient or even
https://github.com/sonatype/async-http-client, which is the library used by
Aether.

-- 
Darrell (Daz) DeBoer
Principal Engineer, Gradleware
http://www.gradleware.com

Reply via email to