[
https://issues.apache.org/jira/browse/MNG-7719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Cservenak closed MNG-7719.
--------------------------------
Resolution: Won't Fix
The original issue of reporter was fixed (their own HTTP Server did not
challenge, so transport-http did not auth either). The slowness of deploy is
being addressed in latest resolver, that will come with Maven 3.9.1
> Maven 3.9.0 native http transport ignores username/password for basic auth
> --------------------------------------------------------------------------
>
> Key: MNG-7719
> URL: https://issues.apache.org/jira/browse/MNG-7719
> Project: Maven
> Issue Type: Improvement
> Components: Core, Deployment
> Affects Versions: 3.9.0
> Reporter: Adam Gent
> Priority: Major
> Fix For: waiting-for-feedback
>
>
> In 3.9.0 the default maven http transport switched from wagon to native.
> It appears that the native transport does not respect:
> {code:xml}
> <server>
> <id>some-repo</id>
> <username>some-username</username>
> <password>basic-auth-password</password>
> </server>
> {code}
> Now when you do a mvn deploy to some-repo the basic auth headers are missing.
> This is probably causing github package problems:
> https://github.com/orgs/community/discussions/49001
> -----
> The issue appears to be that the native client respects Basic Auth Challenges
> and our server did not do that (it never sends the WWW-Authenticate) as the
> original Wagon HTTP transport did not need it.
> The wagon version will always send the credentials on PUT and POST but no
> credentials on GET of maven metadata.
> The wagon version basically is like a header API key when doing basic auth
> instead of the true basic auth workflow.
> For whatever reason I removed the WWW-Authenticate header probably for
> security reasons.
> Since the native client is doing technically the right thing this is not a
> bug however it would be nice if there was some option to revert to the old
> behavior as it does save a round trip on PUT (a 401 needs to happen with the
> header before native will send credentials).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
