maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Fox (JIRA)" <j...@codehaus.org>
Subject [jira] Updated: (WAGON-291) Maven uses artifact download credentials during deployment in some circumstances
Date Wed, 11 Nov 2009 02:36:55 GMT

     [ http://jira.codehaus.org/browse/WAGON-291?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Brian Fox updated WAGON-291:
----------------------------

    Component/s:     (was: wagon-http)
                 wagon-http-lightweight
    Description: 
If Maven downloads an artifact using authorization, this authorization seems to be cached,
which can cause a subsequent deployment to succeed where it should have failed.

Steps to reproduce:

# Set up a build which will require downloading an artifact from a Nexus server which requires
authentication, and configure your settings.xml appropriately.
# Create a project with a distribution management section which points to a repository in
the above server. Make sure the repository id doesn't exist in your settings.xml
# Run "mvn deploy"

What happens:

If the credentials used to download artifacts from Nexus have deployment privileges in the
Nexus repository the deployment will succeed.

Now run "mvn deploy" again. This time the deployment will fail with a 401 code.

This bug exists in both Maven 2.2.1 and the latest Maven 3.0 snapshots.



  was:

If Maven downloads an artifact using authorization, this authorization seems to be cached,
which can cause a subsequent deployment to succeed where it should have failed.

Steps to reproduce:

# Set up a build which will require downloading an artifact from a Nexus server which requires
authentication, and configure your settings.xml appropriately.
# Create a project with a distribution management section which points to a repository in
the above server. Make sure the repository id doesn't exist in your settings.xml
# Run "mvn deploy"

What happens:

If the credentials used to download artifacts from Nexus have deployment privileges in the
Nexus repository the deployment will succeed.

Now run "mvn deploy" again. This time the deployment will fail with a 401 code.

This bug exists in both Maven 2.2.1 and the latest Maven 3.0 snapshots.




We saw this when using the lightweight code also in some ITs. It appears that it's the Jdk
urlconnection that is doing the actual caching and I don't think we ever figured out how to
make it stop. It seems to remember the host and pre-emptively send the credentials, which
turns out is a good thing in many cases because it reduces the upload requirements on authenticated
repos.

> Maven uses artifact download credentials during deployment in some circumstances
> --------------------------------------------------------------------------------
>
>                 Key: WAGON-291
>                 URL: http://jira.codehaus.org/browse/WAGON-291
>             Project: Maven Wagon
>          Issue Type: Bug
>          Components: wagon-http-lightweight
>    Affects Versions: 1.0-beta-6
>            Reporter: Rich Seddon
>
> If Maven downloads an artifact using authorization, this authorization seems to be cached,
which can cause a subsequent deployment to succeed where it should have failed.
> Steps to reproduce:
> # Set up a build which will require downloading an artifact from a Nexus server which
requires authentication, and configure your settings.xml appropriately.
> # Create a project with a distribution management section which points to a repository
in the above server. Make sure the repository id doesn't exist in your settings.xml
> # Run "mvn deploy"
> What happens:
> If the credentials used to download artifacts from Nexus have deployment privileges in
the Nexus repository the deployment will succeed.
> Now run "mvn deploy" again. This time the deployment will fail with a 401 code.
> This bug exists in both Maven 2.2.1 and the latest Maven 3.0 snapshots.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message