[jira] [Commented] (WAGON-538) Basic authentication fails if the password contains non-ascii characters

Mon, 12 Nov 2018 11:22:10 -0800 


    [ 
https://issues.apache.org/jira/browse/WAGON-538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16684272#comment-16684272
 ] 

Aleksander Gjermundsen commented on WAGON-538:
----------------------------------------------

I tried to enable more logging 
(https://support.sonatype.com/hc/en-us/articles/213464088-Configuring-Maven-HTTP-Wagon-Detailed-Logging)
 and this is an extract of the output (used Apache HttpClient as an example 
project):
{code}
1740 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
Authentication required
1740 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
localhost:8081 requested authentication
1740 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Authentication schemes in the order of preference: [Negotiate, Kerberos, 
NTLM, CredSSP, Digest, Basic]
1741 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Challenge for Negotiate authentication scheme not available
1741 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Challenge for Kerberos authentication scheme not available
1741 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Challenge for NTLM authentication scheme not available
1742 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Challenge for CredSSP authentication scheme not available
1742 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Challenge for Digest authentication scheme not available
1748 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
Selected authentication options: [BASIC [complete=true]]
1749 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.conn.DefaultManagedHttpClientConnection
 - http-outgoing-0: set socket timeout to 1800000
1749 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainClientExec 
- Executing request HEAD 
/repository/maven-public/org/apache/httpcomponents/httpcomponents-parent/11/httpcomponents-parent-11.pom
 HTTP/1.1
1750 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainClientExec 
- Target auth state: CHALLENGED
1750 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
Generating response to an authentication challenge using basic scheme
1754 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainClientExec 
- Proxy auth state: UNCHALLENGED
1755 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> HEAD 
/repository/maven-public/org/apache/httpcomponents/httpcomponents-parent/11/httpcomponents-parent-11.pom
 HTTP/1.1
1756 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Cache-control: no-cache
1756 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Cache-store: no-store
1757 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Pragma: no-cache
1757 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> User-Agent: Apache-Maven/3.6.1-SNAPSHOT (Java 1.8.0_192; 
Linux 4.19.1-1-MANJARO)
1758 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Host: localhost:8081
1759 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Connection: Keep-Alive
1759 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Accept-Encoding: gzip,deflate
1760 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 >> Authorization: Basic dXNlcj86dXNlcj8=
1760 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "HEAD 
/repository/maven-public/org/apache/httpcomponents/httpcomponents-parent/11/httpcomponents-parent-11.pom
 HTTP/1.1[\r][\n]"
1761 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Cache-control: no-cache[\r][\n]"
1761 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Cache-store: no-store[\r][\n]"
1762 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Pragma: no-cache[\r][\n]"
1762 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "User-Agent: Apache-Maven/3.6.1-SNAPSHOT (Java 1.8.0_192; 
Linux 4.19.1-1-MANJARO)[\r][\n]"
1763 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Host: localhost:8081[\r][\n]"
1763 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"
1763 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"
1764 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "Authorization: Basic dXNlcj86dXNlcj8=[\r][\n]"
1764 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 >> "[\r][\n]"
1769 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "HTTP/1.1 401 Unauthorized[\r][\n]"
1770 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "Date: Mon, 12 Nov 2018 19:07:00 GMT[\r][\n]"
1770 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "Server: Nexus/3.14.0-04 (OSS)[\r][\n]"
1770 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "X-Content-Type-Options: nosniff[\r][\n]"
1770 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "WWW-Authenticate: BASIC realm="Sonatype Nexus Repository 
Manager"[\r][\n]"
1771 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "Content-Length: 0[\r][\n]"
1771 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.wire - 
http-outgoing-0 << "[\r][\n]"
1771 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 << HTTP/1.1 401 Unauthorized
1772 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 << Date: Mon, 12 Nov 2018 19:07:00 GMT
1772 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 << Server: Nexus/3.14.0-04 (OSS)
1772 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 << X-Content-Type-Options: nosniff
1773 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 << WWW-Authenticate: BASIC realm="Sonatype Nexus Repository 
Manager"
1773 [main] [DEBUG] org.apache.maven.wagon.providers.http.httpclient.headers - 
http-outgoing-0 << Content-Length: 0
1773 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.execchain.MainClientExec 
- Connection can be kept alive indefinitely
1774 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
Authentication required
1774 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
localhost:8081 requested authentication
1774 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
Authorization challenge processed
1774 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.auth.HttpAuthenticator - 
Authentication failed
1775 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.client.TargetAuthenticationStrategy
 - Clearing cached auth scheme for http://localhost:8081
1775 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.conn.PoolingHttpClientConnectionManager
 - Connection [id: 0][route: {}->http://localhost:8081] can be kept alive 
indefinitely
1776 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.conn.DefaultManagedHttpClientConnection
 - http-outgoing-0: set socket timeout to 0
1776 [main] [DEBUG] 
org.apache.maven.wagon.providers.http.httpclient.impl.conn.PoolingHttpClientConnectionManager
 - Connection released: [id: 0][route: {}->http://localhost:8081][total kept 
alive: 1; route allocated: 1 of 20; total allocated: 1 of 40]
...
1787 [main] [ERROR] org.apache.maven.DefaultMaven - [ERROR] Some problems were 
encountered while processing the POMs:
[FATAL] Non-resolvable parent POM for 
org.apache.httpcomponents:httpcomponents-client:4.5.7-SNAPSHOT: Could not 
transfer artifact org.apache.httpcomponents:httpcomponents-parent:pom:11 
from/to nexus (http://localhost:8081/repository/maven-public): Not authorized 
and 'parent.relativePath' points at wrong local POM @ line 27, column 11
{code}

The value of the authorization header: "Basic dXNlcj86dXNlcj8=". This decodes 
to "user?:user?". I tried to setup remote debugging in IntelliJ against 
mvnDebug, but was not able to get it to stop at the breakpoints in the Wagon 
project. Will try again later in the week.

> Basic authentication fails if the password contains non-ascii characters
> ------------------------------------------------------------------------
>
>                 Key: WAGON-538
>                 URL: https://issues.apache.org/jira/browse/WAGON-538
>             Project: Maven Wagon
>          Issue Type: Bug
>            Reporter: Aleksander Gjermundsen
>            Priority: Major
>
> If the username and/or password used to authenticate to Nexus contains 
> non-ascii characters, the authentication fails with an access denied error. 
> After using Wireshark to investigate the headers being sent (in my case "Ø", 
> any non-ascii characters are replaced with "?".
> To test, I have used the following configuration:
> {code:java}
> <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0";
>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 
> http://maven.apache.org/xsd/settings-1.0.0.xsd";>
> ...
>     <servers>
>         <server>
>             <id>artifactory</id>
>             <username>userØ</username>
>             <password>userØ</password>
>         </server>
>     </servers>
>     ...
>     <mirrors>
>         <mirror>
>             <id>nexus</id>
>             <mirrorOf>*</mirrorOf>
>             <name>Local Nexus</name>
>             <url>http://localhost:8081/repository/maven-public</url>
>         </mirror>
>     </mirrors>
> ...
> </settings>{code}
> The settings.xml file is saved using UTF-8 encoding and it appears that Maven 
> reads the username and passwords correctly into strings, but Apache 
> HttpClient do not encode the UTF-8 characters when encoding them into base64.
> I did a quick patch of Wagon to make it work for my use case, where 
> HttpClient is configured to encode as UTF-8. As is mentioned in MNG-5917, it 
> is not completely clear from the standards how these characters are supposed 
> to be handled, but on my system both wget and the Chrome web browser encode 
> the characters the same way as after my patch and are able to download files 
> from Nexus.
> Since Artifactory was used in MNG-5917, I also tested against that, but in 
> contrast to Maven it was not able to decode the username and password 
> correctly, however it would be broken without the patch anyway.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to