Try Maven downloads anonymously first, retry with credentials on 4xx#7447
Try Maven downloads anonymously first, retry with credentials on 4xx#7447
Conversation
When Maven settings.xml credentials are rejected by the remote repository (401/403), retry the JAR download without authentication. Mirrors `MavenPomDownloader.requestAsAuthenticatedOrAnonymous()` and Apache Maven's behavior, so anonymous-accessible artifacts resolve even when configured credentials are invalid. Also fixes two nits observed during troubleshooting: - local cache filename was missing the hyphen before the classifier (`foo-1.0.0recipes.jar` → `foo-1.0.0-recipes.jar`) - download error message omitted the classifier
|
digging a bit into how Maven handles auth on requests: haven't traced into HttpClient yet, but it seems like it does try an unauthenticated request first and then retry with auth if that fails. if that's accurate, then the risk of 2x requests is expected, and we should probably match Maven and try anon first. |
Mirrors Apache Maven Resolver's DeferredCredentialsProvider behavior: issue an unauthenticated request first, then send credentials only when the server challenges with a 4xx. This matches what users get from running Maven directly, and avoids leaking credentials to public artifacts.
|
Good call — flipped to anonymous-first in 8408c64. Now we send no auth at all unless the server challenges us with a 4xx, matching Apache Maven Resolver's |
timtebeek
changed the title
2 participants
Summary
MavenArtifactDownloadernow tries each JAR download anonymously first and only sendssettings.xmlcredentials if the server challenges with a 4xx — mirroring Apache Maven Resolver'sDeferredCredentialsProvider. This unblocks anonymous-accessible artifacts when configured credentials are invalid (reported case: 401 against JPMC Artifactory) and avoids leaking credentials to public artifacts.LocalMavenArtifactCachecache filename missing the hyphen before the classifier (foo-1.0.0recipes.jar→foo-1.0.0-recipes.jar).MavenDownloadingExceptionmessage so artifact coordinates are complete during troubleshooting.Follow-up to #6845 where this scenario was anticipated; the reporter has now hit it in practice.
Test plan
publicArtifactsResolveAnonymouslyEvenWhenCredentialsAreInvalid— bad credentials configured, public artifact, single anonymous request, no auth header sent.retriesWithCredentialsWhenAnonymousReturns401— private artifact, two requests: first anonymous (401), second authenticated (200).