Maven Wagon

Maven uses artifact download credentials during deployment in some circumstances

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: 1.0-beta-6
  • Fix Version/s: None
  • Component/s: wagon-http-lightweight
  • Labels:
    None
  • Number of attachments :
    0

Description

If Maven downloads an artifact using authorization, this authorization seems to be cached, which can cause a subsequent deployment to succeed where it should have failed.

Steps to reproduce:

  1. Set up a build which will require downloading an artifact from a Nexus server which requires authentication, and configure your settings.xml appropriately.
  2. Create a project with a distribution management section which points to a repository in the above server. Make sure the repository id doesn't exist in your settings.xml
  3. Run "mvn deploy"

What happens:

If the credentials used to download artifacts from Nexus have deployment privileges in the Nexus repository the deployment will succeed.

Now run "mvn deploy" again. This time the deployment will fail with a 401 code.

This bug exists in both Maven 2.2.1 and the latest Maven 3.0 snapshots.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Brian Fox added a comment -

We saw this when using the lightweight code also in some ITs. It appears that it's the Jdk urlconnection that is doing the actual caching and I don't think we ever figured out how to make it stop. It seems to remember the host and pre-emptively send the credentials, which turns out is a good thing in many cases because it reduces the upload requirements on authenticated repos.

Show
Brian Fox added a comment - We saw this when using the lightweight code also in some ITs. It appears that it's the Jdk urlconnection that is doing the actual caching and I don't think we ever figured out how to make it stop. It seems to remember the host and pre-emptively send the credentials, which turns out is a good thing in many cases because it reduces the upload requirements on authenticated repos.
Hide
Permalink
Brad Hendricks added a comment -

I believe I am also suffering from this issue.

I am using maven 2.2.1 on OS X, and I have a pom.xml which has a repo configured in the Repositories section, as well as a different repository configured in the DistributionManagement section. I am using Nexus as the repository, the Repositories section acutally points to a Group and the DistributionManagement section points to the underlying repository, thus the urls are like

https://foo.com/My_Group/
and
https://foo.com/snapshots/

In my settings.xml I have two server entries for these repos, the first one has a read-only account and the second one has an account with deployment rights. I am unable to deploy my project. The Nexus logs show that during deployment maven attempts to authenticate using the credentials of the first server and not the deployment credentials.

If I remove the entry from the Repositories section I am able to deploy.

Show
Brad Hendricks added a comment - I believe I am also suffering from this issue. I am using maven 2.2.1 on OS X, and I have a pom.xml which has a repo configured in the Repositories section, as well as a different repository configured in the DistributionManagement section. I am using Nexus as the repository, the Repositories section acutally points to a Group and the DistributionManagement section points to the underlying repository, thus the urls are like https://foo.com/My_Group/ and https://foo.com/snapshots/ In my settings.xml I have two server entries for these repos, the first one has a read-only account and the second one has an account with deployment rights. I am unable to deploy my project. The Nexus logs show that during deployment maven attempts to authenticate using the credentials of the first server and not the deployment credentials. If I remove the entry from the Repositories section I am able to deploy.

People

Vote (3)
Watch (4)

Dates

  • Created:
    Updated:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.