[
https://issues.apache.org/jira/browse/MNG-7719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17696493#comment-17696493
]
Slawomir Jaranowski commented on MNG-7719:
------------------------------------------
Ok,
For uploading snapshot version we have:
{noformat}
[INFO] --- deploy:3.1.0:deploy (default-deploy) @ test ---
Downloading from github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6-SNAPSHOT/maven-metadata.xml
Downloaded from github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6-SNAPSHOT/maven-metadata.xml
(3.5 kB at 3.2 kB/s)
Uploading to github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6-SNAPSHOT/test-1.6-20230304.215214-5.pom
Uploaded to github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6-SNAPSHOT/test-1.6-20230304.215214-5.pom
(2.1 kB at 753 B/s)
{noformat}
For release version:
{noformat}
[INFO] --- deploy:3.1.0:deploy (default-deploy) @ test ---
Uploading to github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6/test-1.6.pom
Uploading to github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6/test-1.6.jar
Uploaded to github:
https://maven.pkg.github.com/slawekjaranowski/test/test/test/1.6/test-1.6.jar
(1.9 kB at 630 B/s)
{noformat}
So we see that for snapshot the first request is downloading a metadata - and
auth challenge is done in this step, next step with PUT will have authorisation.
For release version first request is for PUT and in this step auth challenge
failed for some reason
> Maven 3.9.0 native http transport ignores username/password for basic auth
> --------------------------------------------------------------------------
>
> Key: MNG-7719
> URL: https://issues.apache.org/jira/browse/MNG-7719
> Project: Maven
> Issue Type: Improvement
> Components: Core, Deployment
> Affects Versions: 3.9.0
> Reporter: Adam Gent
> Priority: Major
> Fix For: waiting-for-feedback
>
>
> In 3.9.0 the default maven http transport switched from wagon to native.
> It appears that the native transport does not respect:
> {code:xml}
> <server>
> <id>some-repo</id>
> <username>some-username</username>
> <password>basic-auth-password</password>
> </server>
> {code}
> Now when you do a mvn deploy to some-repo the basic auth headers are missing.
> This is probably causing github package problems:
> https://github.com/orgs/community/discussions/49001
> -----
> The issue appears to be that the native client respects Basic Auth Challenges
> and our server did not do that (it never sends the WWW-Authenticate) as the
> original Wagon HTTP transport did not need it.
> The wagon version will always send the credentials on PUT and POST but no
> credentials on GET of maven metadata.
> The wagon version basically is like a header API key when doing basic auth
> instead of the true basic auth workflow.
> For whatever reason I removed the WWW-Authenticate header probably for
> security reasons.
> Since the native client is doing technically the right thing this is not a
> bug however it would be nice if there was some option to revert to the old
> behavior as it does save a round trip on PUT (a 401 needs to happen with the
> header before native will send credentials).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
