[
https://issues.apache.org/jira/browse/MNG-6614?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hervé Boutemy updated MNG-6614:
-------------------------------
Description:
When Maven client tries to get the POM from a private repository and that
repository gives a 303 response to see other location, the client keeps the
same authorization header in the subsequent redirect. There should be a way to
remove that authorization header because there is no need to keep that.
Some call even fail because that auth header is not valid for the subsequent
request. Some storage service like Azure blob hard fails because they don't
expect any auth header.
{noformat}GET <Redirected_location>
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
Authorization: Basic <redacted>
Host: <different host than private repo>
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_72){noformat}
was:
When maven client tries to get the POM from a private repository and that
repository gives a 303 response to see other location, the client keeps the
same authorization header in the subsequent redirect. There should be a way to
remove that authorization header because there is no need to keep that.
Some call even fail because that auth header is not valid for the subsequent
request. Some storage service like Azure blob hard fails because they don't
expect any auth header.
GET <Redirected_location>
Cache-control: no-cache
Cache-store: no-store
Pragma: no-cache
Expires: 0
Accept-Encoding: gzip
Authorization: Basic <redacted>
Host: <different host than private repo>
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_72)
> Maven 3.5 client fails to remove the authorization header on 303 redirect
> -------------------------------------------------------------------------
>
> Key: MNG-6614
> URL: https://issues.apache.org/jira/browse/MNG-6614
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories
> Affects Versions: 3.5.0
> Environment: Windows JDK8u141
> Reporter: Shubham Bhawsinka
> Priority: Major
>
> When Maven client tries to get the POM from a private repository and that
> repository gives a 303 response to see other location, the client keeps the
> same authorization header in the subsequent redirect. There should be a way
> to remove that authorization header because there is no need to keep that.
> Some call even fail because that auth header is not valid for the subsequent
> request. Some storage service like Azure blob hard fails because they don't
> expect any auth header.
> {noformat}GET <Redirected_location>
> Cache-control: no-cache
> Cache-store: no-store
> Pragma: no-cache
> Expires: 0
> Accept-Encoding: gzip
> Authorization: Basic <redacted>
> Host: <different host than private repo>
> Connection: Keep-Alive
> User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_72){noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
