[
https://issues.apache.org/jira/browse/WAGON-590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17098129#comment-17098129
]
Michael Osipov commented on WAGON-590:
--------------------------------------
Here is the code to reproduce, very simplistic:
{code:java}
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class Test2 extends HttpServlet {
private static final long serialVersionUID = 1L;
private static final Path MAVEN_CENTRAL =
Paths.get("C:\\Users\\mosipov\\.m2\\repository");
private String calculateLocation(HttpServletRequest request) {
String location = request.getContextPath() + "/redirected/repo" +
request.getPathInfo();
String hostUrl = request.getScheme() + "://" + request.getLocalName() +
":" + 8888;
return hostUrl + location;
}
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
System.out.print(request.getPathInfo() + " ");
String authn = request.getHeader("Authorization");
if (authn == null || !authn.equals("Basic ...")) {
response.setHeader("WWW-Authenticate", "Basic realm=\"michael-o\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
System.out.println("SC_UNAUTHORIZED");
return;
}
if (!request.getServletPath().startsWith("/redirected")) {
response.setHeader("Location", calculateLocation(request));
response.sendError(HttpServletResponse.SC_TEMPORARY_REDIRECT);
System.out.println("REDIRECT");
return;
}
String fileLoc = request.getPathInfo();
Path filePath = MAVEN_CENTRAL.resolve(fileLoc.substring(1));
if(Files.isDirectory(filePath)) {
response.setStatus(207);
System.out.println("MULTI_STATUS");
return;
}
if(Files.notExists(filePath)) {
response.sendError(HttpServletResponse.SC_NOT_FOUND);
System.out.println("NOT_FOUND");
return;
}
long fileSize = Files.size(filePath);
response.setHeader("Content-Length", String.valueOf(fileSize));
Files.copy(filePath, response.getOutputStream());
System.out.println("OK");
}
@Override
protected void doPut(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException {
System.out.print(request.getPathInfo() + " ");
String authn = request.getHeader("Authorization");
if (authn == null || !authn.equals("Basic ...")) {
response.setHeader("WWW-Authenticate", "Basic realm=\"michael-o\"");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
System.out.println("SC_UNAUTHORIZED");
return;
}
if (!request.getServletPath().startsWith("/redirected")) {
InputStream is = request.getInputStream();
Path temp = Files.createTempFile(null, null);
Files.copy(is, temp, StandardCopyOption.REPLACE_EXISTING);
Files.delete(temp);
response.setHeader("Location", calculateLocation(request));
response.sendError(HttpServletResponse.SC_TEMPORARY_REDIRECT);
System.out.println("REDIRECT");
return;
}
String fileLoc = request.getPathInfo();
Path filePath = MAVEN_CENTRAL.resolve(fileLoc.substring(1));
Files.copy(request.getInputStream(), filePath,
StandardCopyOption.REPLACE_EXISTING);
response.setStatus(HttpServletResponse.SC_NO_CONTENT);
System.out.println("NO_CONTENT");
}
}
{code}
Wagon from master is logfile [^scoped-auth.log]. As you can see, localhost:8888
cannot be authentication because credentials are scoped. Wagon from branch
{{WAGON-590-any-auth}} passes credentials to all targets, this any scope, see
logfile [^any-auth.log].
We have three problems now:
# The server sends the redirect *after* it has already consumed the response
body. Ideally, it would send the redirect right away w/o consuming the body.
# I will not set any auth by default in the code. This is too dangerous.
# Hash files are delivered as input streams which are by definition
non-repeatable which leads to problem 1. Since the entity has already been
consumed the redirect for {{PUT}} cannot happen because the HttpClient cannot
reupload the hash files:
{noformat}
[DEBUG] http-outgoing-2 << Location:
http://127.0.0.1:8888/bb/redirected/repo/net/sf/michael-o/tomcat/tomcat-authnz-spnego-ad/3.5-SNAPSHOT/tomcat-authnz-spnego-ad-3.5-20200502.225116-23.jar.sha1
[DEBUG] http-outgoing-2 << Content-Length: 0
[DEBUG] http-outgoing-2 << Date: Sat, 02 May 2020 22:51:16 GMT
[DEBUG] http-outgoing-2 << Connection: close
[DEBUG] http-outgoing-2: Close connection
[DEBUG] Connection discarded
[DEBUG] Connection released: [id: 2][route: {}->http://localhost:8080][total
available: 1; route allocated: 0 of 20; total allocated: 1 of 40]
[DEBUG] Cannot redirect non-repeatable request
{noformat}
> Maven 3.5.0+ don't seem to send credentials after 301/302 http redirect
> -----------------------------------------------------------------------
>
> Key: WAGON-590
> URL: https://issues.apache.org/jira/browse/WAGON-590
> Project: Maven Wagon
> Issue Type: Bug
> Affects Versions: 3.4.0
> Reporter: Cintia DR
> Priority: Major
> Attachments: Screen Shot 2020-04-28 at 7.45.33 pm.png, any-auth.log,
> master_osx.log, master_ubuntu.log, maven_x.log, mvn-master-batch.log,
> mvn-wagon590branch-debug-osx.log, mvn-wagon590branch-osx.log, mvn339_osx.log,
> mvn339_ubuntu.log, scoped-auth.log
>
>
> Since maven 3.5.0 (including 3.6.3), maven seems to not send server
> credentials if distributionManagement server response was a 301 or 302 HTTP
> redirect. Note that the redirect is followed, but I receive unauthorised code.
> Maven 3.2.5 and 3.3.9 work as expected. I could reproduce it on ubuntu and
> OSX. Both are JDK 8, not sure if it could make any difference.
>
> All maven versions (including 3.2.5 and 3.3.9) are using the same version of
> the deploy plugin (2.7), and upgrading it made no difference whatsoever.
> ----
> If I use '[https://openmrs.jfrog.io/artifactory/snapshots/'] as my
> 'distributionManagement', credentials are sent.
> If I use
> '[https://mavenrepo.openmrs.org/proxy/snapshots/|https://mavenrepo.openmrs.org/snapshots/']'
> (a reverse proxy to
> '[https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/']')
> credentials are sent.
> If I use '[https://mavenrepo.openmrs.org/snapshots/'] (a 301 redirect to
> [https://openmrs.jfrog.io/artifactory/snapshots/|https://openmrs.jfrog.io/artifactory/snapshots/'])
> as my distributionManagement, credentials are _not_ sent and the request
> fails as it's unauthenticated.
>
> You can see the configuration of 'mavenrepo.openmrs.org' server here:
> [https://github.com/openmrs/openmrs-contrib-itsmresources/blob/master/ansible/host_vars/campo.openmrs.org/vars#L33]
>
> All my artefacts are public to download, so I don't have a way to testing
> downloading artefacts with server credentials.
>
> ----
> This is how the output looks like in maven 3.6.3:
> {code:java}
>
> [INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @
> releasetestmodule ---
> Downloading from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> Downloaded from openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/maven-metadata.xml
> (616 B at 132 B/s)
> Uploading to openmrs-repo-snapshots:
> https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> ...
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
> project releasetestmodule: Failed to deploy artifacts: Could not transfer
> artifact org.openmrs.module:releasetestmodule:pom:2.1.22-20200427.091851-13
> from/to openmrs-repo-snapshots
> (https://mavenrepo.openmrs.org/nexus/content/repositories/snapshots):
> Transfer failed for
> https://openmrs.jfrog.io/artifactory/snapshots/org/openmrs/module/releasetestmodule/2.1.22-SNAPSHOT/releasetestmodule-2.1.22-20200427.091851-13.pom
> 401 Unauthorized -> [Help 1]{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
