Try anonymous first, retry with credentials on 4xx

Mirrors Apache Maven Resolver's DeferredCredentialsProvider behavior:
issue an unauthenticated request first, then send credentials only when
the server challenges with a 4xx. This matches what users get from
running Maven directly, and avoids leaking credentials to public
artifacts.

Author: timtebeek

rewrite-maven/src/main/java/org/openrewrite/maven/utilities/MavenArtifactDownloader.java

@@ -109,20 +109,21 @@ public MavenArtifactDownloader(MavenArtifactCache mavenArtifactCache,
             } else if ("file".equals(URI.create(uri).getScheme())) {
                 bodyStream = Files.newInputStream(Paths.get(URI.create(uri)));
             } else {
-                HttpSender.Request.Builder request = applyAuthentication(dependency.getRepository(), httpSender.get(uri));
                 try {
+                    // Try anonymously first, mirroring Apache Maven's DeferredCredentialsProvider behavior
                     byte[] responseBytes = null;
                     int responseCode;
-                    try (HttpSender.Response response = Failsafe.with(retryPolicy).get(() -> httpSender.send(request.build()));
+                    try (HttpSender.Response response = Failsafe.with(retryPolicy).get(() -> httpSender.send(httpSender.get(uri).build()));
                          InputStream body = response.getBody()) {
                         responseCode = response.getCode();
                         if (response.isSuccessful() && body != null) {
                             responseBytes = readAllBytes(body);
                         }
                     }
-                    // Fall back to anonymous if authenticated request fails with a 4xx client error
-                    if (responseBytes == null && hasCredentials(dependency.getRepository()) && responseCode >= 400 && responseCode < 500) {
-                        try (HttpSender.Response response = Failsafe.with(retryPolicy).get(() -> httpSender.send(httpSender.get(uri).build()));
+                    // Retry with credentials if the anonymous request failed with a 4xx and we have credentials
+                    if (responseBytes == null && responseCode >= 400 && responseCode < 500 && hasCredentials(dependency.getRepository())) {
+                        HttpSender.Request.Builder request = applyAuthentication(dependency.getRepository(), httpSender.get(uri));
+                        try (HttpSender.Response response = Failsafe.with(retryPolicy).get(() -> httpSender.send(request.build()));
                              InputStream body = response.getBody()) {
                             responseCode = response.getCode();
                             if (response.isSuccessful() && body != null) {

rewrite-maven/src/test/java/org/openrewrite/maven/utilities/MavenArtifactDownloaderTest.java

@@ -133,8 +133,8 @@ void downloadDependenciesWithClassifier(@TempDir Path tempDir) {
     }
 
     @Test
-    void fallsBackToAnonymousWhenServerReturns401(@TempDir Path tempDir) throws Exception {
-        byte[] jarBytes = {0x50, 0x4B, 0x03, 0x04};
+    void publicArtifactsResolveAnonymouslyEvenWhenCredentialsAreInvalid(@TempDir Path tempDir) throws Exception {
+        byte[] jarBytes = {0x50, 0x4B, 0x03, 0x04}; // minimal ZIP magic bytes
 
         try (MockWebServer mockRepo = new MockWebServer()) {
             mockRepo.setDispatcher(new Dispatcher() {
@@ -183,22 +183,21 @@ public MockResponse dispatch(RecordedRequest request) {
 
             assertThat(artifact).isNotNull();
             assertThat(error.get()).isNull();
-            assertThat(mockRepo.getRequestCount()).isEqualTo(2);
-            assertThat(mockRepo.takeRequest().getHeader("Authorization")).isNotNull();
+            assertThat(mockRepo.getRequestCount()).isEqualTo(1);
             assertThat(mockRepo.takeRequest().getHeader("Authorization")).isNull();
         }
     }
 
     @Test
-    void fallsBackToAnonymousWhenCredentialsRejected(@TempDir Path tempDir) throws Exception {
-        byte[] jarBytes = {0x50, 0x4B, 0x03, 0x04}; // minimal ZIP magic bytes
+    void retriesWithCredentialsWhenAnonymousReturns401(@TempDir Path tempDir) throws Exception {
+        byte[] jarBytes = {0x50, 0x4B, 0x03, 0x04};
 
         try (MockWebServer mockRepo = new MockWebServer()) {
             mockRepo.setDispatcher(new Dispatcher() {
                 @Override
                 public MockResponse dispatch(RecordedRequest request) {
-                    if (request.getHeader("Authorization") != null) {
-                        return new MockResponse().setResponseCode(403); // Throw if used; it should not be called at all
+                    if (request.getHeader("Authorization") == null) {
+                        return new MockResponse().setResponseCode(401);
                     }
                     return new MockResponse().setResponseCode(200)
                       .setBody(new okio.Buffer().write(jarBytes));
@@ -215,8 +214,8 @@ public MockResponse dispatch(RecordedRequest request) {
                     <servers>
                         <server>
                             <id>mock-repo</id>
-                            <username>${placeholder}</username>
-                            <password>${placeholder}</password>
+                            <username>good-user</username>
+                            <password>good-password</password>
                         </server>
                     </servers>
                 </settings>
@@ -240,7 +239,9 @@ public MockResponse dispatch(RecordedRequest request) {
 
             assertThat(artifact).isNotNull();
             assertThat(error.get()).isNull();
-            assertThat(mockRepo.getRequestCount()).isEqualTo(1);
+            assertThat(mockRepo.getRequestCount()).isEqualTo(2);
+            assertThat(mockRepo.takeRequest().getHeader("Authorization")).isNull();
+            assertThat(mockRepo.takeRequest().getHeader("Authorization")).isNotNull();
         }
     }
 }