On 28/06/2012, at 8:09 AM, Daz DeBoer wrote: > G'day > > I've pushed a fix for GRADLE-2191, that I think is a reasonable compromise. > The issue at heart was that we were aggressively (and incorrectly) using > pre-emptive HTTP Basic Auth for all repositories that had credentials > declared. This broke Digest authentication for those repositories. > > Removing pre-emptive authentication altogether worked, but meant that when > publishing to an authenticated repository we would send the jar content > twice; once to get the 'auth-required' response, and then once again with the > correct credentials. > > I tried a couple of things: > 1) Write .sha1 files first (small files): this caused issues with > Artifactory, which requires the artifact to be posted before the checksum > 2) Using an asynchronous Http Client to catch the Auth-required response > early, before sending the entire content: Apache AsyncHttpClient is still > beta, and this would require significant rework to our code. > 3) Don't use pre-emptive authentication for GET/HEAD requests, since these > are inherently small requests. > 4) Doing a GET to prime authentication before a PUT doesn't work for many > repository that allow public-read, authenticated-write. > > In the end I opted for 3) plus a simple solution borrowed from the Gradle > Artifactory plugin: send pre-emptive Basic Auth for all requests but handle > Digest Auth properly when it is requested. This required an upgrade to > HttpClient 4.2, and means: > * No GET/HEAD requests contain pre-emptive authentication headers > * Initial PUT/POST requests will contain Basic Auth headers. > * If the server requires Basic Auth, then this request will succeed > * If the server requires Digest Auth, then this request will fail with a > 401, and we will resend the request with Digest Auth headers
Does this mean we will send the first artefact twice, when you're using digest authentication? > * After the initial request, subsequent requests to the repository will have > correct Auth headers > > I think this fix is sufficient for now. In the future we may want to look > again at Apache HttpAsyncClient or even > https://github.com/sonatype/async-http-client, which is the library used by > Aether. > > -- > Darrell (Daz) DeBoer > Principal Engineer, Gradleware > http://www.gradleware.com > -- Adam Murdoch Gradle Co-founder http://www.gradle.org VP of Engineering, Gradleware Inc. - Gradle Training, Support, Consulting http://www.gradleware.com
