The reason Artifactory doesn't automatically hide the resource is that not
every resolving client authenticates preemptively (for security reasons).
This is an example of resolution when using non-preemptive authentication
and some resources are forbidden:
1. Client tries to resolve resource with an anonymous user
2. If the resource can't be found Artifactory returns 404; But if the
resource can't be found and some resources are hidden, Artifactory returns
401.
3. If the client receives a 401 it retries with authentication (assuming
it's configured)
4. If the resource can be found, it's returned. If not, Artifactory
returns 404
Now, if we take the same example resolution but all forbidden items are
hidden:
1. Client tries to resolve resource with an anonymous user
2. If the resource can't be found or some resources are
hidden, Artifactory returns 404
3. If the client receives a 404 it stops and doesn't retry with an
authenticated user
Thus, you'll potentially not be able to resolve some artifacts unless you
use preemptive authentication.
But in any case, you can configure Artifactory to return a 404 by checking
the "Hide Existence of Unauthorized Resources" checkbox in the general
security configuration panel.
On Wed, Jun 20, 2012 at 11:22 AM, Michal Galet <[email protected]>wrote:
> Hi,
>
> I'm experiencing this problem for a long time when using anonymous access
> from Gradle with a non-anonymous repository in a group. I will try to
> explain the scenario.
>
> - I have 1 secret repository with non-anonymous access that is included in
> the libs-release group
> - Anonymous user can access(read, deploy to all remote) all repositories
> but
> secret
> - When building with Gradle 1.0 it tries to resolve JAR artifacts even for
> POM modules. The problem is that when JAR does not exists it expects 404
> but
> receives 401 instead.
> - The same behavior when using both maven or artifactory plugin
>
>
> Here is an example:
> * What went wrong:
> Could not resolve all dependencies for configuration ':testRuntime'.
> > Could not resolve group:org.apache.commons, module:commons-compress,
> > version:1.3.
> Required by:
> com.example:gradle-test:1.0-SNAPSHOT
> > Could not resolve group:org.apache.commons, module:commons-parent,
> version:22.
> > Could not resolve group:org.apache, module:apache, version:9.
> > Could not HEAD
> '
> http://localhost:8081/artifactory/libs-release/org/apache/apache/9/apache-9.jar
> '.
> Received status code 401 from server: Download request for repo:path
> 'secret-repo:org/apache/apache/9/apache-9.jar' is forbidden for user
> 'anonymous'.
>
> Build script:
> apply plugin: 'java'
> apply plugin: 'maven'
> group = 'com.example'
> version = '1.0-SNAPSHOT'
>
> repositories {
> maven {
> url "http://localhost:8081/artifactory/libs-release";
> /*
> credentials {
> username "developer"
> password "mysecretpass"
> }*/
> }
> }
>
> dependencies {
> compile "org.apache.commons:commons-compress:1.3" // shouldn't fail
> //compile "test:secret-artifact:1.0" // should fail
> }
>
> If the user does not have privileges to read from a repository that is in
> group shouldn't it be excluded from the resolving logic and return 404 if
> the artifact is not found? And return 401 only if the artifact is found in
> the secret repo?
>
> I can send you a quick guide how to set up a vanilla Artifactory
> installation (2.6.1) to reproduce this. Any comments are welcome.
>
> Thanks,
> Michal
>
> http://forums.jfrog.org/file/n7578040/any-but-secret.PNGany-but-secret.PNG
> http://forums.jfrog.org/file/n7578040/any-remote.PNG any-remote.PNG
> http://forums.jfrog.org/file/n7578040/secret.PNG secret.PNG
>
> --
> View this message in context:
> http://forums.jfrog.org/401-when-using-Gradle-and-anonymous-access-tp7578040.html
> Sent from the Artifactory - Users mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Artifactory-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/artifactory-users
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Artifactory-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
