[
https://jira.codehaus.org/browse/WAGON-422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Herve Boutemy updated WAGON-422:
--------------------------------
Description:
Based on our needs as described in this post to the mailing list:
{quote}
We are trying to stand up a highly-available Maven repository that is protected
by an SSO solution using Basic Auth over SSL. The architecture is as follows:
1.) Maven clients connect over the internet to the repository using
maven.example.com
2.) maven.example.com is a hardware load balancer DNS alias that uses HTTP
301 to redirect to repo.example.com
3.) repo.example.com uses HTTP 302 to redirect the request to
login.example.com
4.) login.example.com sends back HTTP 401 to require authentication
5.) The client returns the request with the Authorization header and
login.example.com uses HTTP 302 to redirect the request back to
repo.example.com with the proper Authorization header and retrieve the artifact.
We define the repository in settings.xml with a url of
https://maven.example.com. The problem we are running into is that the Maven
HTTP Wagon code is setting the AuthScope based on the Repository URL's host
(and port, if supplied).
{code:java}Credentials creds = new UsernamePasswordCredentials( username,
password );
String host = getRepository().getHost();
int port = getRepository().getPort() > -1 ? getRepository().getPort() :
AuthScope.ANY_PORT;
credentialsProvider.setCredentials( new AuthScope( host, port ), creds );{code}
As such, the AuthScope is created with "maven.example.com"ÃÂ and "-1"ÃÂ
(i.e., AuthScope.ANY_PORT). This causes the Authorization header to not be
returned in response to the HTTP 401 challenge and Maven simply moves on to try
to retrieve the artifact from Maven Central (but the artifact isn't there).
>From reading the code, there doesn't appear to be any way of telling Maven to
>set the AuthScope realm to a value that we specify (and the AuthScope host to
>AuthScope.ANY_HOST). Are we missing something obvious or, as we believe, do
>we need to enhance Maven to support this type of configuration?
{quote}
We are submitting a patch that provides customization of AuthScope fields via
wagon settings. Allows AuthScope host and port to differ from the associated
repository host and port if needed. Value of "ANY" permits more flexible
AuthScope.
An example configuration snippet, providing AuthScope of any host, any port and
specific realm would look like:
{code:xml}
<server>
<id>server-id</id>
<username>user</username>
<password>password</password>
<configuration>
<basicAuthScope>
<host>ANY</host>
<port>ANY</port>
<realm>My Realm</realm>
</basicAuthScope>
<httpConfiguration>
<all>
<params>
<property>
<name>http.protocol.max-redirects</name>
<value>%i,20</value>
</property>
<property>
<name>http.protocol.allow-circular-redirects</name>
<value>%b,true</value>
</property>
</params>
</all>
</httpConfiguration>
</configuration>
</server>
{code}
The feature also allows for the same AuthScope overrides for proxy Basic auth
using the <proxyBasicAuthScope> element..
was:
Based on our needs as described in this post to the mailing list:
{quote}
We are trying to stand up a highly-available Maven repository that is protected
by an SSO solution using Basic Auth over SSL. The architecture is as follows:
1.) Maven clients connect over the internet to the repository using
maven.example.com
2.) maven.example.com is a hardware load balancer DNS alias that uses HTTP
301 to redirect to repo.example.com
3.) repo.example.com uses HTTP 302 to redirect the request to
login.example.com
4.) login.example.com sends back HTTP 401 to require authentication
5.) The client returns the request with the Authorization header and
login.example.com uses HTTP 302 to redirect the request back to
repo.example.com with the proper Authorization header and retrieve the artifact.
We define the repository in settings.xml with a url of
https://maven.example.com. The problem we are running into is that the Maven
HTTP Wagon code is setting the AuthScope based on the Repository URL's host
(and port, if supplied).
{code:java}Credentials creds = new UsernamePasswordCredentials( username,
password );
String host = getRepository().getHost();
int port = getRepository().getPort() > -1 ?
getRepository().getPort() : AuthScope.ANY_PORT;
credentialsProvider.setCredentials( new AuthScope( host, port
), creds );{code}
As such, the AuthScope is created with "maven.example.com"Â and "-1"Â (i.e.,
AuthScope.ANY_PORT). This causes the Authorization header to not be returned
in response to the HTTP 401 challenge and Maven simply moves on to try to
retrieve the artifact from Maven Central (but the artifact isn't there).
>From reading the code, there doesn't appear to be any way of telling Maven to
>set the AuthScope realm to a value that we specify (and the AuthScope host to
>AuthScope.ANY_HOST). Are we missing something obvious or, as we believe, do
>we need to enhance Maven to support this type of configuration?
{quote}
We are submitting a patch that provides customization of AuthScope fields via
wagon settings. Allows AuthScope host and port to differ from the associated
repository host and port if needed. Value of "ANY" permits more flexible
AuthScope.
An example configuration snippet, providing AuthScope of any host, any port and
specific realm would look like:
{code:xml}
<server>
<id>server-id</id>
<username>user</username>
<password>password</password>
<configuration>
<basicAuthScope>
<host>ANY</host>
<port>ANY</port>
<realm>My Realm</realm>
</basicAuthScope>
<httpConfiguration>
<all>
<params>
<property>
<name>http.protocol.max-redirects</name>
<value>%i,20</value>
</property>
<property>
<name>http.protocol.allow-circular-redirects</name>
<value>%b,true</value>
</property>
</params>
</all>
</httpConfiguration>
</configuration>
</server>
{code}
The feature also allows for the same AuthScope overrides for proxy Basic auth
using the <proxyBasicAuthScope> element..
> HTTP wagon AuthScope is not definable from settings
> ---------------------------------------------------
>
> Key: WAGON-422
> URL: https://jira.codehaus.org/browse/WAGON-422
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http
> Affects Versions: 2.7, 2.8
> Environment: All
> Reporter: leon franzen
> Assignee: Olivier Lamy
> Fix For: 2.8
>
> Attachments: wagon.patch
>
>
> Based on our needs as described in this post to the mailing list:
> {quote}
> We are trying to stand up a highly-available Maven repository that is
> protected by an SSO solution using Basic Auth over SSL. The architecture is
> as follows:
> 1.) Maven clients connect over the internet to the repository using
> maven.example.com
> 2.) maven.example.com is a hardware load balancer DNS alias that uses HTTP
> 301 to redirect to repo.example.com
> 3.) repo.example.com uses HTTP 302 to redirect the request to
> login.example.com
> 4.) login.example.com sends back HTTP 401 to require authentication
> 5.) The client returns the request with the Authorization header and
> login.example.com uses HTTP 302 to redirect the request back to
> repo.example.com with the proper Authorization header and retrieve the
> artifact.
>
> We define the repository in settings.xml with a url of
> https://maven.example.com. The problem we are running into is that the Maven
> HTTP Wagon code is setting the AuthScope based on the Repository URL's host
> (and port, if supplied).
> {code:java}Credentials creds = new UsernamePasswordCredentials( username,
> password );
> String host = getRepository().getHost();
> int port = getRepository().getPort() > -1 ? getRepository().getPort() :
> AuthScope.ANY_PORT;
> credentialsProvider.setCredentials( new AuthScope( host, port ), creds
> );{code}
> As such, the AuthScope is created with "maven.example.com"ÃÂ and "-1"ÃÂ
> (i.e., AuthScope.ANY_PORT). This causes the Authorization header to not be
> returned in response to the HTTP 401 challenge and Maven simply moves on to
> try to retrieve the artifact from Maven Central (but the artifact isn't
> there).
> From reading the code, there doesn't appear to be any way of telling Maven to
> set the AuthScope realm to a value that we specify (and the AuthScope host to
> AuthScope.ANY_HOST). Are we missing something obvious or, as we believe, do
> we need to enhance Maven to support this type of configuration?
> {quote}
> We are submitting a patch that provides customization of AuthScope fields via
> wagon settings. Allows AuthScope host and port to differ from the associated
> repository host and port if needed. Value of "ANY" permits more flexible
> AuthScope.
> An example configuration snippet, providing AuthScope of any host, any port
> and specific realm would look like:
> {code:xml}
> <server>
> <id>server-id</id>
> <username>user</username>
> <password>password</password>
> <configuration>
> <basicAuthScope>
> <host>ANY</host>
> <port>ANY</port>
> <realm>My Realm</realm>
> </basicAuthScope>
> <httpConfiguration>
> <all>
> <params>
> <property>
> <name>http.protocol.max-redirects</name>
> <value>%i,20</value>
> </property>
> <property>
>
> <name>http.protocol.allow-circular-redirects</name>
> <value>%b,true</value>
> </property>
> </params>
> </all>
> </httpConfiguration>
> </configuration>
> </server>
> {code}
> The feature also allows for the same AuthScope overrides for proxy Basic auth
> using the <proxyBasicAuthScope> element..
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
