[jira] [Commented] (WAGON-590) Maven 3.5.0+ doesn't seem to send credentials after 301/302 HTTP redirect
[
https://issues.apache.org/jira/browse/WAGON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17243912#comment-17243912
]
IG commented on WAGON-590:
--
Done.
https://github.com/apache/maven-site/pull/217
> Maven 3.5.0+ doesn't seem to send credentials after 301/302 HTTP redirect
> -
>
> Key: WAGON-590
> URL: https://issues.apache.org/jira/browse/WAGON-590
> Project: Maven Wagon
> Issue Type: Bug
>Affects Versions: 3.4.0
>Reporter: Cintia DR
>Priority: Major
> Fix For: waiting-for-feedback
>
> Attachments: 0001-conditonally-set-AuthScope-to-any.patch, Screen
> Shot 2020-04-28 at 7.45.33 pm.png, any-auth.log,
> expect-continue-done-right-any-auth.log, master_osx.log, master_ubuntu.log,
> maven_x.log, mvn-master-batch.log, mvn-wagon590branch-debug-osx.log,
> mvn-wagon590branch-osx.log, mvn339_osx.log, mvn339_ubuntu.log, scoped-auth.log
>
>
> Since maven 3.5.0 (including 3.6.3), maven seems to not send server
> credentials if distributionManagement server response was a 301 or 302 HTTP
> redirect. Note that the redirect is followed, but I receive unauthorised code.
> Maven 3.2.5 and 3.3.9 work as expected. I could reproduce it on ubuntu and
> OSX. Both are JDK 8, not sure if it could make any difference.
>
> All maven versions (including 3.2.5 and 3.3.9) are using the same version of
> the deploy plugin (2.7), and upgrading it made no difference whatsoever.
>
> If I use '[https://openmrs.jfrog.io/artifactory/snapshots/'] as my
> 'distributionManagement', credentials are sent.
> If I use
> '[https://mavenrepo.openmrs.org/proxy/snapshots/|https://mavenrepo.openmrs.org/snapshots/']'
> (a reverse proxy to
> '[https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/']')
> credentials are sent.
> If I use '[https://mavenrepo.openmrs.org/snapshots/'] (a 301 redirect to
> [https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/'])
> as my distributionManagement, credentials are _not_ sent and the request
> fails as it's unauthenticated.
>
> You can see the configuration of 'mavenrepo.openmrs.org' server here:
> [https://github.com/openmrs/openmrs-contrib-itsmresources/blob/master/ansible/host_vars/campo.openmrs.org/vars#L33]
>
> All my artefacts are public to download, so I don't have a way to testing
> downloading artefacts with server credentials.
>
>
> This is how the output looks like in maven 3.6.3:
> {code:java}
>
> [INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @
> releasetestmodule ---
> Downloading from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> Downloaded from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> (616 B at 132 B/s)
> Uploading to openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> ...
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
> project releasetestmodule: Failed to deploy artifacts: Could not transfer
> artifact org.openmrs.module:releasetestmodule:pom:2.1.22-20200427.091851-13
> from/to openmrs-repo-snapshots
> (https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots):
> Transfer failed for
> https://openmrs.jfrog.io/artifactory/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> 401 Unauthorized -> [Help 1]{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (WAGON-590) Maven 3.5.0+ doesn't seem to send credentials after 301/302 HTTP redirect
[
https://issues.apache.org/jira/browse/WAGON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17243053#comment-17243053
]
IG commented on WAGON-590:
--
Made it work with the following settings and wagon-3.4.2 inside maven 3.6.3 :
{code:java}
ANY
ANY
http.protocol.cookie-policy
standard
{code}
cookie-policy was still required for correct cookie handling.
> Maven 3.5.0+ doesn't seem to send credentials after 301/302 HTTP redirect
> -
>
> Key: WAGON-590
> URL: https://issues.apache.org/jira/browse/WAGON-590
> Project: Maven Wagon
> Issue Type: Bug
>Affects Versions: 3.4.0
>Reporter: Cintia DR
>Priority: Major
> Fix For: waiting-for-feedback
>
> Attachments: 0001-conditonally-set-AuthScope-to-any.patch, Screen
> Shot 2020-04-28 at 7.45.33 pm.png, any-auth.log,
> expect-continue-done-right-any-auth.log, master_osx.log, master_ubuntu.log,
> maven_x.log, mvn-master-batch.log, mvn-wagon590branch-debug-osx.log,
> mvn-wagon590branch-osx.log, mvn339_osx.log, mvn339_ubuntu.log, scoped-auth.log
>
>
> Since maven 3.5.0 (including 3.6.3), maven seems to not send server
> credentials if distributionManagement server response was a 301 or 302 HTTP
> redirect. Note that the redirect is followed, but I receive unauthorised code.
> Maven 3.2.5 and 3.3.9 work as expected. I could reproduce it on ubuntu and
> OSX. Both are JDK 8, not sure if it could make any difference.
>
> All maven versions (including 3.2.5 and 3.3.9) are using the same version of
> the deploy plugin (2.7), and upgrading it made no difference whatsoever.
>
> If I use '[https://openmrs.jfrog.io/artifactory/snapshots/'] as my
> 'distributionManagement', credentials are sent.
> If I use
> '[https://mavenrepo.openmrs.org/proxy/snapshots/|https://mavenrepo.openmrs.org/snapshots/']'
> (a reverse proxy to
> '[https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/']')
> credentials are sent.
> If I use '[https://mavenrepo.openmrs.org/snapshots/'] (a 301 redirect to
> [https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/'])
> as my distributionManagement, credentials are _not_ sent and the request
> fails as it's unauthenticated.
>
> You can see the configuration of 'mavenrepo.openmrs.org' server here:
> [https://github.com/openmrs/openmrs-contrib-itsmresources/blob/master/ansible/host_vars/campo.openmrs.org/vars#L33]
>
> All my artefacts are public to download, so I don't have a way to testing
> downloading artefacts with server credentials.
>
>
> This is how the output looks like in maven 3.6.3:
> {code:java}
>
> [INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @
> releasetestmodule ---
> Downloading from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> Downloaded from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> (616 B at 132 B/s)
> Uploading to openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> ...
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
> project releasetestmodule: Failed to deploy artifacts: Could not transfer
> artifact org.openmrs.module:releasetestmodule:pom:2.1.22-20200427.091851-13
> from/to openmrs-repo-snapshots
> (https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots):
> Transfer failed for
> https://openmrs.jfrog.io/artifactory/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> 401 Unauthorized -> [Help 1]{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (WAGON-590) Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
[
https://issues.apache.org/jira/browse/WAGON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
IG updated WAGON-590:
-
Attachment: 0001-conditonally-set-AuthScope-to-any.patch
> Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
> ---
>
> Key: WAGON-590
> URL: https://issues.apache.org/jira/browse/WAGON-590
> Project: Maven Wagon
> Issue Type: Bug
>Affects Versions: 3.4.0
>Reporter: Cintia DR
>Priority: Major
> Attachments: 0001-conditonally-set-AuthScope-to-any.patch, Screen
> Shot 2020-04-28 at 7.45.33 pm.png, any-auth.log,
> expect-continue-done-right-any-auth.log, master_osx.log, master_ubuntu.log,
> maven_x.log, mvn-master-batch.log, mvn-wagon590branch-debug-osx.log,
> mvn-wagon590branch-osx.log, mvn339_osx.log, mvn339_ubuntu.log, scoped-auth.log
>
>
> Since maven 3.5.0 (including 3.6.3), maven seems to not send server
> credentials if distributionManagement server response was a 301 or 302 HTTP
> redirect. Note that the redirect is followed, but I receive unauthorised code.
> Maven 3.2.5 and 3.3.9 work as expected. I could reproduce it on ubuntu and
> OSX. Both are JDK 8, not sure if it could make any difference.
>
> All maven versions (including 3.2.5 and 3.3.9) are using the same version of
> the deploy plugin (2.7), and upgrading it made no difference whatsoever.
>
> If I use '[https://openmrs.jfrog.io/artifactory/snapshots/'] as my
> 'distributionManagement', credentials are sent.
> If I use
> '[https://mavenrepo.openmrs.org/proxy/snapshots/|https://mavenrepo.openmrs.org/snapshots/']'
> (a reverse proxy to
> '[https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/']')
> credentials are sent.
> If I use '[https://mavenrepo.openmrs.org/snapshots/'] (a 301 redirect to
> [https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/'])
> as my distributionManagement, credentials are _not_ sent and the request
> fails as it's unauthenticated.
>
> You can see the configuration of 'mavenrepo.openmrs.org' server here:
> [https://github.com/openmrs/openmrs-contrib-itsmresources/blob/master/ansible/host_vars/campo.openmrs.org/vars#L33]
>
> All my artefacts are public to download, so I don't have a way to testing
> downloading artefacts with server credentials.
>
>
> This is how the output looks like in maven 3.6.3:
> {code:java}
>
> [INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @
> releasetestmodule ---
> Downloading from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> Downloaded from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> (616 B at 132 B/s)
> Uploading to openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> ...
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
> project releasetestmodule: Failed to deploy artifacts: Could not transfer
> artifact org.openmrs.module:releasetestmodule:pom:2.1.22-20200427.091851-13
> from/to openmrs-repo-snapshots
> (https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots):
> Transfer failed for
> https://openmrs.jfrog.io/artifactory/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> 401 Unauthorized -> [Help 1]{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (WAGON-590) Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
[
https://issues.apache.org/jira/browse/WAGON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17240279#comment-17240279
]
IG edited comment on WAGON-590 at 11/29/20, 3:38 PM:
-
Hi Michael,
As suggested, here is the pointer to our chat on the ML :
[https://lists.apache.org/thread.html/r3be975dbac2058d507ae9141234fcde86151ac60add4e7f61d066de1%40%3Cusers.maven.apache.org%3E]
To be short and clear : WAGON-590 works as expected. However, I had to change
the cookie policy from 'compatibility' to 'standard' as the oauth2-proxy cookie
has to be retained while doing a trip to the SSO server.
That being said, one might says that not scoping auth is lowering security.
I join a patch to add a new setting to conditionally set AuthScope to ANY
was (Author: igardais):
Hi Michael,
As suggested, here is the pointer to our chat on the ML :
https://lists.apache.org/thread.html/r3be975dbac2058d507ae9141234fcde86151ac60add4e7f61d066de1%40%3Cusers.maven.apache.org%3E
To be short and clear : WAGON-590 works as expected. However, I had to change
the cookie policy from 'compatibility' to 'standard' as the oauth2-proxy as to
be retained while doing a trip to the SSO server.
That being said, one might says that not scoping auth is lowering security.
I join a patch to add a new setting to conditionally set AuthScope to ANY
> Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
> ---
>
> Key: WAGON-590
> URL: https://issues.apache.org/jira/browse/WAGON-590
> Project: Maven Wagon
> Issue Type: Bug
>Affects Versions: 3.4.0
>Reporter: Cintia DR
>Priority: Major
> Attachments: 0001-conditonally-set-AuthScope-to-any.patch, Screen
> Shot 2020-04-28 at 7.45.33 pm.png, any-auth.log,
> expect-continue-done-right-any-auth.log, master_osx.log, master_ubuntu.log,
> maven_x.log, mvn-master-batch.log, mvn-wagon590branch-debug-osx.log,
> mvn-wagon590branch-osx.log, mvn339_osx.log, mvn339_ubuntu.log, scoped-auth.log
>
>
> Since maven 3.5.0 (including 3.6.3), maven seems to not send server
> credentials if distributionManagement server response was a 301 or 302 HTTP
> redirect. Note that the redirect is followed, but I receive unauthorised code.
> Maven 3.2.5 and 3.3.9 work as expected. I could reproduce it on ubuntu and
> OSX. Both are JDK 8, not sure if it could make any difference.
>
> All maven versions (including 3.2.5 and 3.3.9) are using the same version of
> the deploy plugin (2.7), and upgrading it made no difference whatsoever.
>
> If I use '[https://openmrs.jfrog.io/artifactory/snapshots/'] as my
> 'distributionManagement', credentials are sent.
> If I use
> '[https://mavenrepo.openmrs.org/proxy/snapshots/|https://mavenrepo.openmrs.org/snapshots/']'
> (a reverse proxy to
> '[https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/']')
> credentials are sent.
> If I use '[https://mavenrepo.openmrs.org/snapshots/'] (a 301 redirect to
> [https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/'])
> as my distributionManagement, credentials are _not_ sent and the request
> fails as it's unauthenticated.
>
> You can see the configuration of 'mavenrepo.openmrs.org' server here:
> [https://github.com/openmrs/openmrs-contrib-itsmresources/blob/master/ansible/host_vars/campo.openmrs.org/vars#L33]
>
> All my artefacts are public to download, so I don't have a way to testing
> downloading artefacts with server credentials.
>
>
> This is how the output looks like in maven 3.6.3:
> {code:java}
>
> [INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @
> releasetestmodule ---
> Downloading from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> Downloaded from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> (616 B at 132 B/s)
> Uploading to openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> ...
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
> project releasetestmodule: Failed to deploy artifacts: Could not transfer
> artifact org.openmrs.module:releasetestmodule:pom:2.1.22-20200427.091851-13
> from/to openmrs-repo-snapshots
> (https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots):
> Transfer failed for
>
[jira] [Commented] (WAGON-590) Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
[
https://issues.apache.org/jira/browse/WAGON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17240279#comment-17240279
]
IG commented on WAGON-590:
--
Hi Michael,
As suggested, here is the pointer to our chat on the ML :
https://lists.apache.org/thread.html/r3be975dbac2058d507ae9141234fcde86151ac60add4e7f61d066de1%40%3Cusers.maven.apache.org%3E
To be short and clear : WAGON-590 works as expected. However, I had to change
the cookie policy from 'compatibility' to 'standard' as the oauth2-proxy as to
be retained while doing a trip to the SSO server.
That being said, one might says that not scoping auth is lowering security.
I join a patch to add a new setting to conditionally set AuthScope to ANY
> Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
> ---
>
> Key: WAGON-590
> URL: https://issues.apache.org/jira/browse/WAGON-590
> Project: Maven Wagon
> Issue Type: Bug
>Affects Versions: 3.4.0
>Reporter: Cintia DR
>Priority: Major
> Attachments: Screen Shot 2020-04-28 at 7.45.33 pm.png, any-auth.log,
> expect-continue-done-right-any-auth.log, master_osx.log, master_ubuntu.log,
> maven_x.log, mvn-master-batch.log, mvn-wagon590branch-debug-osx.log,
> mvn-wagon590branch-osx.log, mvn339_osx.log, mvn339_ubuntu.log, scoped-auth.log
>
>
> Since maven 3.5.0 (including 3.6.3), maven seems to not send server
> credentials if distributionManagement server response was a 301 or 302 HTTP
> redirect. Note that the redirect is followed, but I receive unauthorised code.
> Maven 3.2.5 and 3.3.9 work as expected. I could reproduce it on ubuntu and
> OSX. Both are JDK 8, not sure if it could make any difference.
>
> All maven versions (including 3.2.5 and 3.3.9) are using the same version of
> the deploy plugin (2.7), and upgrading it made no difference whatsoever.
>
> If I use '[https://openmrs.jfrog.io/artifactory/snapshots/'] as my
> 'distributionManagement', credentials are sent.
> If I use
> '[https://mavenrepo.openmrs.org/proxy/snapshots/|https://mavenrepo.openmrs.org/snapshots/']'
> (a reverse proxy to
> '[https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/']')
> credentials are sent.
> If I use '[https://mavenrepo.openmrs.org/snapshots/'] (a 301 redirect to
> [https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/'])
> as my distributionManagement, credentials are _not_ sent and the request
> fails as it's unauthenticated.
>
> You can see the configuration of 'mavenrepo.openmrs.org' server here:
> [https://github.com/openmrs/openmrs-contrib-itsmresources/blob/master/ansible/host_vars/campo.openmrs.org/vars#L33]
>
> All my artefacts are public to download, so I don't have a way to testing
> downloading artefacts with server credentials.
>
>
> This is how the output looks like in maven 3.6.3:
> {code:java}
>
> [INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @
> releasetestmodule ---
> Downloading from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> Downloaded from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> (616 B at 132 B/s)
> Uploading to openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> ...
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
> project releasetestmodule: Failed to deploy artifacts: Could not transfer
> artifact org.openmrs.module:releasetestmodule:pom:2.1.22-20200427.091851-13
> from/to openmrs-repo-snapshots
> (https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots):
> Transfer failed for
> https://openmrs.jfrog.io/artifactory/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> 401 Unauthorized -> [Help 1]{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
