You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Scott Seiter (JIRA)" <ji...@codehaus.org> on 2009/05/08 01:40:44 UTC
[jira] Created: (MRM-1181) HTTP 401 - Unauthorized is Returned when
Accessing Artifact from Repository Group if the User Doesn't Have Access to
All Repositories in the Group
HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
--------------------------------------------------------------------------------------------------------------------------------------------------
Key: MRM-1181
URL: http://jira.codehaus.org/browse/MRM-1181
Project: Archiva
Issue Type: Bug
Components: Users/Security
Affects Versions: 1.2
Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
Reporter: Scott Seiter
Priority: Minor
When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
[WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
[INFO] Repository 'group-repo-name' will be blacklisted
By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MRM-1181) HTTP 401 - Unauthorized is Returned when
Accessing Artifact from Repository Group if the User Doesn't Have Access to
All Repositories in the Group
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching updated MRM-1181:
----------------------------------
Fix Version/s: (was: 1.3)
1.3.1
> HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-1181
> URL: http://jira.codehaus.org/browse/MRM-1181
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.2
> Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
> Reporter: Scott Seiter
> Priority: Minor
> Fix For: 1.3.1
>
>
> When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
> In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
> On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
> [WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
> [INFO] Repository 'group-repo-name' will be blacklisted
> By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
> Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-1181) HTTP 401 - Unauthorized is Returned
when Accessing Artifact from Repository Group if the User Doesn't Have
Access to All Repositories in the Group
Posted by "Stefan Seifert (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=208144#action_208144 ]
Stefan Seifert commented on MRM-1181:
-------------------------------------
we need a fix for this issue - too.
it prevents download source attachments for our projects and results in blacklisting the archiva repository in the maven client - e.g.:
{noformat}
[INFO] Scanning for projects...
[INFO] snapshot de.xxx.dfra:de.xxx.dfra.parent_toplevel:0.5.0-SNAPSHOT: checking for updates from pvtool.repository
[WARNING] repository metadata for: 'snapshot de.xxx.dfra:de.xxx.dfra.parent_toplevel:0.5.0-SNAPSHOT'
could not be retrieved from repository: pvtool.repository due to an error:
Authorization failed: Access denied to: https://xxx/archiva/repository/default/de/xxx
/dfra/de.xxx.dfra.parent_toplevel/0.5.0-SNAPSHOT/maven-metadata.xml
[INFO] Repository 'pvtool.repository' will be blacklisted
{noformat}
> HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-1181
> URL: http://jira.codehaus.org/browse/MRM-1181
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.2
> Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
> Reporter: Scott Seiter
> Priority: Minor
> Fix For: 1.4
>
>
> When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
> In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
> On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
> [WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
> [INFO] Repository 'group-repo-name' will be blacklisted
> By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
> Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-1181) HTTP 401 - Unauthorized is Returned
when Accessing Artifact from Repository Group if the User Doesn't Have
Access to All Repositories in the Group
Posted by "Stefan Seifert (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=208145#action_208145 ]
Stefan Seifert commented on MRM-1181:
-------------------------------------
btw. this problem did not exist in apache archiva 1.1.x.
it exists in archiva 1.2 and 1.3 as well.
> HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-1181
> URL: http://jira.codehaus.org/browse/MRM-1181
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.2
> Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
> Reporter: Scott Seiter
> Priority: Minor
> Fix For: 1.4
>
>
> When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
> In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
> On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
> [WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
> [INFO] Repository 'group-repo-name' will be blacklisted
> By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
> Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MRM-1181) HTTP 401 - Unauthorized is Returned when
Accessing Artifact from Repository Group if the User Doesn't Have Access to
All Repositories in the Group
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MRM-1181:
------------------------------
Fix Version/s: 1.3
I agree, 404 should be the correct behaviour
> HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-1181
> URL: http://jira.codehaus.org/browse/MRM-1181
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.2
> Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
> Reporter: Scott Seiter
> Priority: Minor
> Fix For: 1.3
>
>
> When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
> In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
> On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
> [WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
> [INFO] Repository 'group-repo-name' will be blacklisted
> By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
> Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-1181) HTTP 401 - Unauthorized is Returned
when Accessing Artifact from Repository Group if the User Doesn't Have
Access to All Repositories in the Group
Posted by "Wendy Smoak (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=249578#action_249578 ]
Wendy Smoak commented on MRM-1181:
----------------------------------
I can reproduce this in 1.3. For me it happens when a repository the user does _not_ have access to contains the full or partial groupId path.
For example:
imbrium:Downloads wsmoak$ wget --user=build --password=bu1Ld http://localhost:8765/archiva/repository/all/com/example/doesnotexist/1.0-SNAPSHOT/maven-metadata.xml
--2010-12-23 13:05:57-- http://localhost:8765/archiva/repository/all/com/example/doesnotexist/1.0-SNAPSHOT/maven-metadata.xml
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8765... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to localhost:8765.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.
will happen if
- the 'all' repo group contains internal, snapshots, and another
- the 'build' user does not have access to the 'another' repository
- the 'another' repository has, at minimum, a 'com' subdirectory. It could have com/example or even contain other artifacts in the com.example group or below.
The fact that Archiva says 401 when the artifact is nowhere in any of its repositories causes confusing results as Maven blacklists the repo and reports a bunch of *other* artifacts missing (that really are present.)
The only time I would think the 401 is appropriate is if the 'another' repository actually contained the artifact being requested. And even then I'm not sure it's worth being technically correct when it's going to cause Maven to blacklist the repo and not be able to retrieve other things that the user may be authorized to see.
> HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-1181
> URL: http://jira.codehaus.org/browse/MRM-1181
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.2
> Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
> Reporter: Scott Seiter
> Priority: Minor
> Fix For: 1.4
>
>
> When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
> In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
> On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
> [WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
> [INFO] Repository 'group-repo-name' will be blacklisted
> By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
> Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira