[GRADLE-2968] Gradle 1.9 cannot access artifactory repository that is protected by Basic Authentication Created: 28/Nov/13  Updated: 06/Jun/16  Resolved: 06/Jun/16

Status: Resolved
Project: Gradle
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Gradle Forums Assignee: Unassigned
Resolution: Duplicate Votes: 3

Issue Links:
Duplicate
Duplicates GRADLE-2675 Add option to eagerly send HTTP authe... Resolved

 Description   

In short: it looks like that gradle does not do pre-emptive basic authentication if it is doing get requests (see HttpClientConfigurer.java)

Artifactory does not challenge the client, if a directory listing is requested (prolly for security reasons). Instead it reports an empty directory if you are not properly authenticate. If I would request a fixed version number, I get a challenge and resolving does work.
Because of this, dynamic versions cannot be resolved using gradle and a protected artifactory repository!

Here is my build file for testing this:

group = 'de.enterprise.project'
def artifactoryRepoBase = '[1]http://aisrepo.enterprise.com/artifac...'
repositories {
ivy {
credentials {
username "myUser"
password "password"
}
url artifactoryRepoBase + '/b2b-gradle-internal'
layout "pattern", {
artifact '[organization]/[module]/[revision]/[module][revision]([classifier]).[ext]'
ivy '[organization]/[module]/ivy-[revision].xml'
}
}
}
apply plugin: 'java'
dependencies {
compile group: 'de.enterprise.project.info', name: 'info', version: "3.5.+" // does not work, gets empty dir
// compile group: 'de.enterprise.project.info', name: 'info', version: "3.5.0-20131127155348" // does work, but is fixed
}

(sorry, couldn't figure out how the heck you are creating these code blocks). A simple help button at the editor would be nice...

This is a serious problem for us. We absolutely have to protect our internal artifactory repository (company has over 300.000 employees that can access the intranet). And we really need the dynamic versions for our multi-project platform.

Is there a way to enforce pre-emptive authentication for all kind of requests for repositories where credentials are available? Or can I configure artifactory to always challenge for certain repositories? I haven't found this option yet.

I am on gradle 1.9 and artifactory 3.0.4

Any help will be appreciated

Andreas
----------------------------------------------------------------------------------------
[1] http://aisrepo.enterprise.com/artifactory



 Comments   
Comment by Gradle Forums [ 28/Nov/13 ]

Code block are created with HTML code tags.

So what you are saying is that basic auth doesn't work together with dynamic versions? (The title of your post suggests that it doesn't work at all.) Have you tried with Gradle 1.7/1.8?

Comment by Gradle Forums [ 28/Nov/13 ]

Gosh, you are fast.

Yes, you are right, the title is misleading. Gradle can access resources with fixed version numbers. At least if artifactory is not configured to hide these resources (there is an option for this in artifactory to hide resources if they are protected and no pre-emptive credentials are supplied. If this option is off, artifactory will challenge the client to authenticate. If it is turned on, artifactory reports "404 not found" instead of "401 Unauthorized" in case of no pre-emptive credentials).

So what I am reporting is, that dynamic Versions cannot be resolved with protected repositories in artifactory. This is, because Gradle does a GET request on the parent directory to get a list of the ivy-*.xml resources. This GET request will be without pre-emptive credentials and will therefore result in an empty directory.

I guess maven SNAPSHOT style versions will work, because it does not involve a directory scanning. But ivy and gradle style repositories will not work, because they involve directory scanning.

I will checkout gradle 1.7 and 1.8 tomorrow at work and will report tomorrow.

Comment by Gradle Forums [ 28/Nov/13 ]

I can confirm, that this bug exists down to gradle 1.3 (haven't tested further down).

Because gradle is sharing http connections, the workaround would be not to use a dynamic dependency as the first dependency. If gradle goes for a fixed version as the first dependency, artifactory challenges the client correctly and after that, the dynamic version is resolved correctly. I guess that's the reason why nobody found this bug yet.

Still this is pretty unpredictable behaviour. I really would like to have a flag in the repository configuration to enforce pre-emptive authentication for a repository.

Comment by Andreas Sahlbach [ 13/Dec/13 ]

Please see the corresponding Artifactory Bug:

https://www.jfrog.com/jira/browse/RTFACT-4434

Guys, start talking with each other!

Comment by Mark Vieira (Inactive) [ 06/Jun/16 ]

Support for preemptive auth was added in Gradle 2.7.

https://docs.gradle.org/2.7/release-notes.html#support-for-preemptive-http-authentication

Generated at Wed Jun 30 12:36:18 CDT 2021 using Jira 8.4.2#804003-sha1:d21414fc212e3af190e92c2d2ac41299b89402cf.