[
https://issues.apache.org/jira/browse/MNG-7719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam Gent updated MNG-7719:
---------------------------
Description:
In 3.9.0 the default maven http transport switched from wagon to native.
It appears that the native transport does not respect:
{code:xml}
<server>
<id>some-repo</id>
<username>some-username</username>
<password>basic-auth-password</password>
</server>
{code}
Now when you do a mvn deploy to some-repo the basic auth headers are missing.
This is probably causing github package problems:
https://github.com/orgs/community/discussions/49001
-----
The issue appears to be that the native client respects Basic Auth Challenges
and our server did not do that (it never sends the WWW-Authenticate) as the
original Wagon HTTP transport did not need it.
The wagon version will always send the credentials on PUT and POST but no
credentials on GET of maven metadata.
The wagon version basically is like a header API key when doing basic auth
instead of the true basic auth workflow.
For whatever reason I removed the WWW-Authenticate header probably for security
reasons.
Since the native client is doing technically the right thing this is not a bug
however it would be nice if there was some option to revert to the old behavior
as it does save a round trip on PUT (a 401 needs to happen with the header
before native will send credentials).
was:
In 3.9.0 the default maven http transport switched from wagon to native.
It appears that the native transport does not respect:
{code:xml}
<server>
<id>some-repo</id>
<username>some-username</username>
<password>basic-auth-password</password>
</server>
{code}
Now when you do a mvn deploy to some-repo the basic auth headers are missing.
This is probably causing github package problems:
https://github.com/orgs/community/discussions/49001
-----
The issue appears to
> Maven 3.9.0 native http transport ignores username/password for basic auth
> --------------------------------------------------------------------------
>
> Key: MNG-7719
> URL: https://issues.apache.org/jira/browse/MNG-7719
> Project: Maven
> Issue Type: Improvement
> Components: Core, Deployment
> Affects Versions: 3.9.0
> Reporter: Adam Gent
> Priority: Major
> Fix For: waiting-for-feedback
>
>
> In 3.9.0 the default maven http transport switched from wagon to native.
> It appears that the native transport does not respect:
> {code:xml}
> <server>
> <id>some-repo</id>
> <username>some-username</username>
> <password>basic-auth-password</password>
> </server>
> {code}
> Now when you do a mvn deploy to some-repo the basic auth headers are missing.
> This is probably causing github package problems:
> https://github.com/orgs/community/discussions/49001
> -----
> The issue appears to be that the native client respects Basic Auth Challenges
> and our server did not do that (it never sends the WWW-Authenticate) as the
> original Wagon HTTP transport did not need it.
> The wagon version will always send the credentials on PUT and POST but no
> credentials on GET of maven metadata.
> The wagon version basically is like a header API key when doing basic auth
> instead of the true basic auth workflow.
> For whatever reason I removed the WWW-Authenticate header probably for
> security reasons.
> Since the native client is doing technically the right thing this is not a
> bug however it would be nice if there was some option to revert to the old
> behavior as it does save a round trip on PUT (a 401 needs to happen with the
> header before native will send credentials).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
