From: Yoav L. <yo...@jf...> - 2010-08-31 22:26:45
|
This behavior is "by design". Let me explain - When anonymous access is disabled Artifactory always requires users to be authenticated. This is the meaning of the flag, which is checked whenever an unauthenticated request is seen. If an unauthenticated request arrives, the anonymous access flag is on and the resource exists but is not accessible by anonymous - Artifactory will correctly log the request as DENIED, but for security reasons it will not reveal the existence of the resource to the requestor and will send back a 404. This behavior matches the 404 description<http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html>: "...This status code is commonly used when the server does not wish to reveal exactly why the request has been refused...". The result should be the same for a non-anonymous user that doesn't have privileges to get a resource (if not that's a bug). Like Yossi suggested, it can be resolved on the Maven side by setting preemptive authentication. Maven does not authenticate preemptively when provided with user/password details unless configured to do so (for why and how to configure it, please see: http://maven.apache.org/guides/mini/guide-http-settings.html). The reasons seem to be rooted in mistrusting the user to correctly configure the client and the server - leaving behind unused authentication details or sending authenticated requests to servers that are not configured to secure the authentication details. Other tools (Ivy, curl, wget) will authenticate preemptively when provided with authentication info. On the Artifactory side this can be resolved by a global policy of whether or not to reveal the existence of protected resources. For anonymous requests that will result in a 401. Anyway, please follow RTFACT-3479 <http://issues.jfrog.org/jira/browse/RTFACT-3479> to check on the progress. HTH, Yoav 2010/8/31 Yossi Shaul <yo...@jf...> > I see what you mean. I think 403 Forbidden will be more appropriate in that > case because access to Artifactory is always authenticated (when anonymous > is enabled the authentication is implicit). > I can't remember if the 404 response is for historical reasons (old maven > bug), so I opened > an issue (http://issues.jfrog.org/jira/browse/RTFACT-3479) and will look > into it soon. > > Back to your problem, your analysis explains why it fails: > You are implicitly logged in as anonymous to Artifactory. Anonymous doesn't > have read access > to the requested file and Artifactory sends 404. When maven receives 404 it > will never try to send > another request with credentials. > Responding with 401 Unauthorized (+the basic authentication header) will > probably solve it, > but again, I'm not sure this is the best solution. > > In the mean time you can configure maven to use preemptive authentication, > which causes > it to send the credentials without being asked to. > > Yossi > > 2010/8/31 Marcin Zajączkowski <ms...@wp...> > > Dnia 31-08-2010 o godz. 9:22 Yossi Shaul napisał(a): >> > Which version of maven you are using? If it's not the latest (2.2.1 or 3 >> beta) please try with one of them. >> > Otherwise send your pom and settings to su...@jf... and we'll try >> to figure out what's wrong. >> >> I'm using 2.2.1, but I have noticed one more thing. With disabled "allow >> anonymous access" artifactory return 401 Authorization Required in the >> first try and then Maven ask again using credentials [1]. Without >> anonymous access enabled Artifactory returns 404 Not Found (even if >> artifact is in repository and only anonymous doesn't have access to it - >> in access.log there is DOWNLOAD DENIED) and Maven doesn't try again, >> what could be a reason. >> >> Maybe Artifactory could return 401 for repository paths which requires >> for user to be authenticated? >> >> >> [1] - (with "allow anonymous access" disabled) >> >> 20100831113125|0|REQUEST|10.101.6.191|non_authenticated_user|GET|<<artifact>>|HTTP/1.1|401|0 >> >> 20100831113127|1656|REQUEST|10.101.6.191|my_user|GET|<<artifact>>|HTTP/1.1|200|348 >> >> >> Marcin >> >> >> >> > 2010/8/30 Marcin Zajączkowski <ms...@wp...> >> > >> > > Dnia 29-08-2010 o godz. 9:30 Yossi Shaul napisał(a): >> > > >> > > > Hi, maven does know how download artifacts from repositories that >> > > require authentication. >> > > > It just does it on the second request (non-preemptive). >> > > > Make sure that the repository ids (for both download and upload >> > > repositories) matches >> > > > the is of the servers in the settings.xml. >> > > >> > > I tried: >> > > >> > > <servers> >> > > <server> >> > > <id>repo-id</id> >> > > <username>user</username> >> > > <password>password</password> >> > > (...) >> > > >> > > <repositories> >> > > <repository> >> > > <snapshots> >> > > <enabled>true</enabled> >> > > </snapshots> >> > > <id>repo-id</id> >> > > <name>repo-id</name> >> > > <url>...</url> >> > > (...) >> > > >> > > Maven shows: >> > > [INFO] snapshot my-group-id:my-artifact-id:1.2.0-SNAPSHOT checking >> for >> > > updates from repo-id >> > > Downloading: >> > > http://url/.../1.2.0-SNAPSHOT/my-artifact-id-1.2.0-SNAPSHOT.jar >> > > [INFO] Unable to find resource >> > > 'my-group-id:my-artifact-id:1.2.0-SNAPSHOT' in repository repo-id >> (url) >> > > >> > > In Artifactory access.og I have: >> > > 2010-08-30 17:55:01,700 [DENIED DOWNLOAD] >> > > repo-id:url/.../1.2.0-SNAPSHOT/my-artifact-1.2.0-SNAPSHOT.jar for >> > > anonymous/192.168.0.10. >> > > >> > > There is no a second try. >> > > Is it required to define deploy repository to make read access work >> with >> > > password? >> > > >> > > I tried with repo-id being virtual repo name as well a local >> repository >> > > name. With no success. Do you have any suggestion what more can I do >> to >> > > get know why it doesn't work? >> > > >> > > >> > > > Currently the anonymous access is global and there's no way to >> activate >> > > authentication >> > > > for selected repositories. >> > > >> > > I see, if Maven should ask twice (the second one with user/password) >> > > there a global switch is enough. >> > > >> > > >> > > Regards >> > > Marcin >> > > >> > > >> > > >> > > > 2010/8/27 Marcin Zajączkowski <ms...@wp...> >> > > > >> > > > > Hi, >> > > > > >> > > > > >> > > > > Regarding situation mentioned in [1] I was able to download >> artifact >> > > > > from password protected repository only after "Allow Anonymous >> Access" >> > > > > is unchecked. But it's a global switch. When anonymous access in >> general >> > > > > is granted, nevertheless that repository is not accessible for >> anonymous >> > > > > users (they don't have permissions) Maven interprets reply as >> "not >> > > > > found" (not as "use password from config"). >> > > > > >> > > > > Is it possible to switch only *selected* repositories into >> > > > > "authenticated-user-only-access"? >> > > > > (or maybe I can force Maven to use password for selected repos >> at a >> > > > > client side?) >> > > > > >> > > > > >> > > > > [1] - >> > > > > >> http://forums.jfrog.org/Working-with-password-protected-repositories-in-read-mode-with-Maven-client-td5457453.html >> > > > > >> > > > > >> > > > > Regards >> > > > > Marcin >> >> >> >> >> -- >> Ad... >> >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net Dev2Dev email is sponsored by: >> >> Show off your parallel programming skills. >> Enter the Intel(R) Threading Challenge 2010. >> http://p.sf.net/sfu/intel-thread-sfd >> _______________________________________________ >> Artifactory-users mailing list >> Art...@li... >> https://lists.sourceforge.net/lists/listinfo/artifactory-users >> > > > > ------------------------------------------------------------------------------ > This SF.net Dev2Dev email is sponsored by: > > Show off your parallel programming skills. > Enter the Intel(R) Threading Challenge 2010. > http://p.sf.net/sfu/intel-thread-sfd > _______________________________________________ > Artifactory-users mailing list > Art...@li... > https://lists.sourceforge.net/lists/listinfo/artifactory-users > > -- Yoav Landman, CTO http://www.jfrog.org/ |