Uploaded image for project: 'Maven'
  1. Maven
  2. MNG-6614

Maven 3.5 client fails to remove the authorization header on 303 redirect

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 3.5.0
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Windows JDK8u141

      Description

      When Maven client tries to get the POM from a private repository and that repository gives a 303 response to see other location, the client keeps the same authorization header in the subsequent redirect. There should be a way to remove that authorization header because there is no need to keep that. 

      Some call even fail because that auth header is not valid for the subsequent request. Some storage service like Azure blob hard fails because they don't expect any auth header.

      GET <Redirected_location>
      Cache-control: no-cache
      Cache-store: no-store
      Pragma: no-cache
      Expires: 0
      Accept-Encoding: gzip
      Authorization: Basic <redacted>
      Host: <different host than private repo>
      Connection: Keep-Alive
      User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_72)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              shbhawsi Shubham Bhawsinka
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: