You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Wendy Smoak (JIRA)" <ji...@codehaus.org> on 2010/12/23 19:18:58 UTC
[jira] Commented: (MRM-1181) HTTP 401 - Unauthorized is Returned
when Accessing Artifact from Repository Group if the User Doesn't Have
Access to All Repositories in the Group
[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=249578#action_249578 ]
Wendy Smoak commented on MRM-1181:
----------------------------------
I can reproduce this in 1.3. For me it happens when a repository the user does _not_ have access to contains the full or partial groupId path.
For example:
imbrium:Downloads wsmoak$ wget --user=build --password=bu1Ld http://localhost:8765/archiva/repository/all/com/example/doesnotexist/1.0-SNAPSHOT/maven-metadata.xml
--2010-12-23 13:05:57-- http://localhost:8765/archiva/repository/all/com/example/doesnotexist/1.0-SNAPSHOT/maven-metadata.xml
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8765... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to localhost:8765.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.
will happen if
- the 'all' repo group contains internal, snapshots, and another
- the 'build' user does not have access to the 'another' repository
- the 'another' repository has, at minimum, a 'com' subdirectory. It could have com/example or even contain other artifacts in the com.example group or below.
The fact that Archiva says 401 when the artifact is nowhere in any of its repositories causes confusing results as Maven blacklists the repo and reports a bunch of *other* artifacts missing (that really are present.)
The only time I would think the 401 is appropriate is if the 'another' repository actually contained the artifact being requested. And even then I'm not sure it's worth being technically correct when it's going to cause Maven to blacklist the repo and not be able to retrieve other things that the user may be authorized to see.
> HTTP 401 - Unauthorized is Returned when Accessing Artifact from Repository Group if the User Doesn't Have Access to All Repositories in the Group
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: MRM-1181
> URL: http://jira.codehaus.org/browse/MRM-1181
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.2
> Environment: Archiva 1.2; Tomcat 6.0.16; JRE 1.6.0_06-b02
> Reporter: Scott Seiter
> Priority: Minor
> Fix For: 1.4
>
>
> When trying to access an artifact via a repository group, Archiva returns 'HTTP 401 - Unauthorized' when the artifact can't be found in the set of repositories the user has access to and there is at least 1 repository in the repository group the user doesn't have permission to access.
> In this case it may be more logical to return an HTTP 404 instead of an HTTP 401.
> On the client machine, Maven responds to the 401 with (where the repository group name is group-repo-name):
> [WARNING] repository metadata for: 'artifact org.apache.maven.plugins:maven-checkstyle-plugin' could not be retrieved from repository: group-repo-name due to an error: Error transferring file
> [INFO] Repository 'group-repo-name' will be blacklisted
> By the way, the artifact being requested is http://maven.co.myorganization.org/archiva/repository/group-repo-name/org/apache/maven/plugins/maven-checkstyle-plugin/2.2/maven-checkstyle-plugin-2.2.pom.
> Another note, the wire trace shows that the client requests the resource 20 times and receives 20 HTTP 401 messages from the server in response.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira