subject:"Re\: Maven tries to download twice, first one without auth"

Re: Maven tries to download twice, first one without auth

2021-08-20 Thread Michael Osipov


Am 2021-08-20 um 16:12 schrieb Francois Marot:

Hello Maven users,

I face a strange problem that I'd like to describe. I'm setting up a new
artifact repository and this is JFrog's Artifactory.
I have build freeze problems (which I still no have solved) so during my
investigations I found this in Artifactory's logs:

- - - - - - - - - - - - - - - - - - - - - - - - -
2021-08-19T16:07:55.729Z|339817580d4decc9|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|
*401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.734Z|123110ba8a2e7eb9|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|200|-1|7714|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.743Z|f0d9c80461c879fd|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.752Z|6500587859c8a99c|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|
*401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.758Z|32c027e38c5f6b49|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|200|-1|12403|3|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.766Z|1dce46d14ae35ed3|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.774Z|a37b50bee467027a|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|
*401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.779Z|8c4ca838bc43d3b2|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|200|-1|61975|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.793Z|9d2ce78abf97f47e|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.801Z|8d5e469c8d929120|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|
*401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.807Z|2e1b208f4afeae52|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|200|-1|15507|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.815Z|b634f0399cad3c56|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.825Z|befe40b044d34700|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-lang/commons-lang/2.1/commons-lang-2.1.pom|
*401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)
- - - - - - - - - - - - - - - - - - - - - - - - -

as you can see, for each pom artifact, it seems like Maven does a first
request not authenticated (hence the "|401|" in the logs) and then another
one authenticated. This second one succeeds.
I corrected this problem by adding a httpHeader property (see below) with
the same value as the "password" field (that was previously the only place
where I wrote the password) and now I have correct logs with only one
request and no 401 anymore.

- - - - - - - - - - - - - - - - - - - - - - - - -

 
   ci-fake-user
   XXX
   releases
  
 
   
 Authorization
 Bearer XXX
   
 
   
 
 
   ci-fake-user
   XXX
   snapshots
  
 
   
 Authorization
 Bearer XXX
   
 
   
 
   
- - - - - - - - - - - - - - - - - - - - - - - - -

I tested with Maven  3.6.3, 3.8.1 and 3.8.2
Do you have an explanation to my strange problem ?


There is no problem, that this perfectly normal and correct.

-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org

Re: Maven tries to download twice, first one without auth

2021-08-20 Thread Bernd Eckenfels

Hello,

This is, for some reason intentional, the client is supposed to only sent auth 
when challenged. Since this is not done in a smart way it can slow transfers 
down.

There used to be ways to configure it pre-emptively, but not sure if the doc is 
still valid: 
http://maven.apache.org/guides/mini/guide-http-settings.html#Example:_Using_Preemptive_Authentication

Greetings
Bernd


--
http://bernd.eckenfels.net

Von: Francois Marot 
Gesendet: Friday, August 20, 2021 4:12:33 PM
An: Maven Users List 
Betreff: Maven tries to download twice, first one without auth

Hello Maven users,

I face a strange problem that I'd like to describe. I'm setting up a new
artifact repository and this is JFrog's Artifactory.
I have build freeze problems (which I still no have solved) so during my
investigations I found this in Artifactory's logs:

- - - - - - - - - - - - - - - - - - - - - - - - -
2021-08-19T16:07:55.729Z|339817580d4decc9|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|
*401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.734Z|123110ba8a2e7eb9|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|200|-1|7714|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.743Z|f0d9c80461c879fd|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.752Z|6500587859c8a99c|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|
*401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.758Z|32c027e38c5f6b49|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|200|-1|12403|3|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.766Z|1dce46d14ae35ed3|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.774Z|a37b50bee467027a|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|
*401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.779Z|8c4ca838bc43d3b2|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|200|-1|61975|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.793Z|9d2ce78abf97f47e|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.801Z|8d5e469c8d929120|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|
*401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.807Z|2e1b208f4afeae52|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|200|-1|15507|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
2021-08-19T16:07:55.815Z|b634f0399cad3c56|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
(Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)

2021-08-19T16:07:55.825Z|befe40b044d34700|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-lang/commons-lang/2.1/commons-lang-2.1.pom|
*401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
3.10.0-1160.25.1.el7.x86_64)
- - - - - - - - - - - - - - - - - - - - - - - - -

as you can see, for each pom artifact, it seems like Maven does a first
request not authenticated (hence the "|401|" in the logs) and then another
one authenticated. This second one succeeds.
I corrected this problem by adding a httpHeader property (see below) with
the same value as the "password" field (that was previously the only place
where I wrote the password) and now I have correct logs with only one
request and no 401 anymore.

- - - - - - - - - - - - - - - - - - - - - - - - -


  ci-fake-user
  XXX
  releases
 

  
Authorization
Bearer XXX
  

  


  ci-fake-user
  XXX
  snapshots
 

  
Authorization
Bearer XXX
  

  

  
- - - - - - - - - - - - - - - - - - - - - - - - -

I te

Re: Maven tries to download twice, first one without auth

2021-08-21 Thread Slawomir Jaranowski

Hi,

I use for artifactory configuration like it:

   
xxx
xxx
xxx



true






pt., 20 sie 2021 o 23:12 Bernd Eckenfels 
napisał(a):

> Hello,
>
> This is, for some reason intentional, the client is supposed to only sent
> auth when challenged. Since this is not done in a smart way it can slow
> transfers down.
>
> There used to be ways to configure it pre-emptively, but not sure if the
> doc is still valid:
> http://maven.apache.org/guides/mini/guide-http-settings.html#Example:_Using_Preemptive_Authentication
>
> Greetings
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Francois Marot 
> Gesendet: Friday, August 20, 2021 4:12:33 PM
> An: Maven Users List 
> Betreff: Maven tries to download twice, first one without auth
>
> Hello Maven users,
>
> I face a strange problem that I'd like to describe. I'm setting up a new
> artifact repository and this is JFrog's Artifactory.
> I have build freeze problems (which I still no have solved) so during my
> investigations I found this in Artifactory's logs:
>
> - - - - - - - - - - - - - - - - - - - - - - - - -
>
> 2021-08-19T16:07:55.729Z|339817580d4decc9|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.734Z|123110ba8a2e7eb9|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|200|-1|7714|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.743Z|f0d9c80461c879fd|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.752Z|6500587859c8a99c|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.758Z|32c027e38c5f6b49|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|200|-1|12403|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.766Z|1dce46d14ae35ed3|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.774Z|a37b50bee467027a|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|
> *401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.779Z|8c4ca838bc43d3b2|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|200|-1|61975|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.793Z|9d2ce78abf97f47e|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.801Z|8d5e469c8d929120|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.807Z|2e1b208f4afeae52|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|200|-1|15507|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.815Z|b634f0399cad3c56|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.825Z|befe40b044d34700|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-lang/commons-lang/2.1/commons-lang-2.1.pom|
> *401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
> - - - - - - - - - - - - - - - - - - - - - - - - -
>
> as you can see, for each pom artifact, it seems like Maven does a first
> request not authenticated (hence the "|401|" in the logs) and then another
> one authenticated. This second one succeeds.
> I corrected this problem by adding a httpHeader property (see below) with
> the same value as the "password" field (that was previously the only place
> where I wrote the password) and now I have correct logs with only

Re: Maven tries to download twice, first one without auth

2021-08-30 Thread Francois Marot

Hello Bernd and Slawomir,
I want to thank you both for the advice. Using the preemptive auth works
like a charm.
In the end, the analysis showed that a network component was seeing all the
"401 Unauthorized" errors and was randomly deciding
to stop the requests. It must have been mistakenly associated to a network
attack or something.

The setting to use is this one:



false



I would advise anyone in a corporate network to configure its settings.xml
with this setting to access his corporate repository.
I even believe it should be the default setting for predefined servers
located in settings.xml because Maven does not try to communicate with
random servers on the internet by itself (in which case disabling
preemptive auth may be worth it).
Should I create an issue ?


Le ven. 20 août 2021 à 23:12, Bernd Eckenfels  a
écrit :

> Hello,
>
> This is, for some reason intentional, the client is supposed to only sent
> auth when challenged. Since this is not done in a smart way it can slow
> transfers down.
>
> There used to be ways to configure it pre-emptively, but not sure if the
> doc is still valid:
> http://maven.apache.org/guides/mini/guide-http-settings.html#Example:_Using_Preemptive_Authentication
>
> Greetings
> Bernd
>
>
> --
> http://bernd.eckenfels.net
> 
> Von: Francois Marot 
> Gesendet: Friday, August 20, 2021 4:12:33 PM
> An: Maven Users List 
> Betreff: Maven tries to download twice, first one without auth
>
> Hello Maven users,
>
> I face a strange problem that I'd like to describe. I'm setting up a new
> artifact repository and this is JFrog's Artifactory.
> I have build freeze problems (which I still no have solved) so during my
> investigations I found this in Artifactory's logs:
>
> - - - - - - - - - - - - - - - - - - - - - - - - -
>
> 2021-08-19T16:07:55.729Z|339817580d4decc9|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.734Z|123110ba8a2e7eb9|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|200|-1|7714|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.743Z|f0d9c80461c879fd|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.752Z|6500587859c8a99c|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.758Z|32c027e38c5f6b49|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|200|-1|12403|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.766Z|1dce46d14ae35ed3|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.774Z|a37b50bee467027a|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|
> *401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.779Z|8c4ca838bc43d3b2|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|200|-1|61975|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.793Z|9d2ce78abf97f47e|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.801Z|8d5e469c8d929120|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.807Z|2e1b208f4afeae52|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|200|-1|15507|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.815Z|b634f0399cad3c56|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.825Z|befe40b044d34700|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-lang/commons-lang/2.1/commons-lang-2.1.pom|
> *401*|-1|0|1|Apache-

Re: Maven tries to download twice, first one without auth

2021-08-30 Thread Bernd Eckenfels

Hello,

Hm… I thought preemptive=false is the default - but anyway, good that it works 
now for you.

Gruß
Bernd

--
https://Bernd.eckenfels.net

From: Francois Marot 
Sent: Monday, August 30, 2021 4:43:33 PM
To: Maven Users List 
Subject: Re: Maven tries to download twice, first one without auth

Hello Bernd and Slawomir,
I want to thank you both for the advice. Using the preemptive auth works
like a charm.
In the end, the analysis showed that a network component was seeing all the
"401 Unauthorized" errors and was randomly deciding
to stop the requests. It must have been mistakenly associated to a network
attack or something.

The setting to use is this one:



false



I would advise anyone in a corporate network to configure its settings.xml
with this setting to access his corporate repository.
I even believe it should be the default setting for predefined servers
located in settings.xml because Maven does not try to communicate with
random servers on the internet by itself (in which case disabling
preemptive auth may be worth it).
Should I create an issue ?


Le ven. 20 août 2021 à 23:12, Bernd Eckenfels  a
écrit :

> Hello,
>
> This is, for some reason intentional, the client is supposed to only sent
> auth when challenged. Since this is not done in a smart way it can slow
> transfers down.
>
> There used to be ways to configure it pre-emptively, but not sure if the
> doc is still valid:
> http://maven.apache.org/guides/mini/guide-http-settings.html#Example:_Using_Preemptive_Authentication
>
> Greetings
> Bernd
>
>
> --
> http://bernd.eckenfels.net<http://bernd.eckenfels.networks>
> 
> Von: Francois Marot 
> Gesendet: Friday, August 20, 2021 4:12:33 PM
> An: Maven Users List 
> Betreff: Maven tries to download twice, first one without auth
>
> Hello Maven users,
>
> I face a strange problem that I'd like to describe. I'm setting up a new
> artifact repository and this is JFrog's Artifactory.
> I have build freeze problems (which I still no have solved) so during my
> investigations I found this in Artifactory's logs:
>
> - - - - - - - - - - - - - - - - - - - - - - - - -
>
> 2021-08-19T16:07:55.729Z|339817580d4decc9|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.734Z|123110ba8a2e7eb9|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|200|-1|7714|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.743Z|f0d9c80461c879fd|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.752Z|6500587859c8a99c|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.758Z|32c027e38c5f6b49|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|200|-1|12403|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.766Z|1dce46d14ae35ed3|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.774Z|a37b50bee467027a|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|
> *401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.779Z|8c4ca838bc43d3b2|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|200|-1|61975|2|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
> 2021-08-19T16:07:55.793Z|9d2ce78abf97f47e|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.801Z|8d5e469c8d929120|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/apache/16/apache-16.pom|
> *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> 3.10.0-1160.25.1.el7.x86_64)
>
>
> 2021-08-19T16:07:55.807Z|2e1b208f4afeae

Re: Maven tries to download twice, first one without auth

2021-08-30 Thread Francois Marot

You're right, my bad...
I use:
true

because 'false' is the default. Which makes me think Maven should change
the default to true because we explicitly know the servers listed in
settings.xml and trust them.


Le lun. 30 août 2021 à 18:00, Bernd Eckenfels  a
écrit :

> Hello,
>
> Hm… I thought preemptive=false is the default - but anyway, good that it
> works now for you.
>
> Gruß
> Bernd
>
> --
> https://Bernd.eckenfels.net
> 
> From: Francois Marot 
> Sent: Monday, August 30, 2021 4:43:33 PM
> To: Maven Users List 
> Subject: Re: Maven tries to download twice, first one without auth
>
> Hello Bernd and Slawomir,
> I want to thank you both for the advice. Using the preemptive auth works
> like a charm.
> In the end, the analysis showed that a network component was seeing all the
> "401 Unauthorized" errors and was randomly deciding
> to stop the requests. It must have been mistakenly associated to a network
> attack or something.
>
> The setting to use is this one:
>
> 
> 
> false
> 
> 
>
> I would advise anyone in a corporate network to configure its settings.xml
> with this setting to access his corporate repository.
> I even believe it should be the default setting for predefined servers
> located in settings.xml because Maven does not try to communicate with
> random servers on the internet by itself (in which case disabling
> preemptive auth may be worth it).
> Should I create an issue ?
>
>
> Le ven. 20 août 2021 à 23:12, Bernd Eckenfels  a
> écrit :
>
> > Hello,
> >
> > This is, for some reason intentional, the client is supposed to only sent
> > auth when challenged. Since this is not done in a smart way it can slow
> > transfers down.
> >
> > There used to be ways to configure it pre-emptively, but not sure if the
> > doc is still valid:
> >
> http://maven.apache.org/guides/mini/guide-http-settings.html#Example:_Using_Preemptive_Authentication
> >
> > Greetings
> > Bernd
> >
> >
> > --
> > http://bernd.eckenfels.net<http://bernd.eckenfels.networks>
> > 
> > Von: Francois Marot 
> > Gesendet: Friday, August 20, 2021 4:12:33 PM
> > An: Maven Users List 
> > Betreff: Maven tries to download twice, first one without auth
> >
> > Hello Maven users,
> >
> > I face a strange problem that I'd like to describe. I'm setting up a new
> > artifact repository and this is JFrog's Artifactory.
> > I have build freeze problems (which I still no have solved) so during my
> > investigations I found this in Artifactory's logs:
> >
> > - - - - - - - - - - - - - - - - - - - - - - - - -
> >
> >
> 2021-08-19T16:07:55.729Z|339817580d4decc9|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|
> > *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> > 3.10.0-1160.25.1.el7.x86_64)
> >
> >
> >
> 2021-08-19T16:07:55.734Z|123110ba8a2e7eb9|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom|200|-1|7714|2|Apache-Maven/3.8.2
> > (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
> >
> >
> 2021-08-19T16:07:55.743Z|f0d9c80461c879fd|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/org/apache/velocity/velocity/1.5/velocity-1.5.pom.sha1|200|-1|40|3|Apache-Maven/3.8.2
> > (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
> >
> >
> >
> 2021-08-19T16:07:55.752Z|6500587859c8a99c|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|
> > *401*|-1|0|0|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> > 3.10.0-1160.25.1.el7.x86_64)
> >
> >
> >
> 2021-08-19T16:07:55.758Z|32c027e38c5f6b49|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom|200|-1|12403|3|Apache-Maven/3.8.2
> > (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
> >
> >
> 2021-08-19T16:07:55.766Z|1dce46d14ae35ed3|192.168.38.137|token:ci-fake-user|GET|/maven-libs-release/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.pom.sha1|200|-1|40|2|Apache-Maven/3.8.2
> > (Java 11.0.8; Linux 3.10.0-1160.25.1.el7.x86_64)
> >
> >
> >
> 2021-08-19T16:07:55.774Z|a37b50bee467027a|192.168.38.137|non_authenticated_user|GET|/maven-libs-release/org/apache/commons/commons-parent/39/commons-parent-39.pom|
> > *401*|-1|0|1|Apache-Maven/3.8.2 (Java 11.0.8; Linux
> > 3.10.0-1160.25.1.el7.x86_64)
&

Re: Maven tries to download twice, first one without auth

Re: Maven tries to download twice, first one without auth

Re: Maven tries to download twice, first one without auth

Re: Maven tries to download twice, first one without auth

Re: Maven tries to download twice, first one without auth

Re: Maven tries to download twice, first one without auth

6 matches

Site Navigation

Mail list logo

Footer information