Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.7, 2.8
-
None
-
All
-
Patch
Description
Based on our needs as described in this post to the mailing list:
We are trying to stand up a highly-available Maven repository that is protected by an SSO solution using Basic Auth over SSL. The architecture is as follows:
1.) Maven clients connect over the internet to the repository using maven.example.com
2.) maven.example.com is a hardware load balancer DNS alias that uses HTTP 301 to redirect to repo.example.com
3.) repo.example.com uses HTTP 302 to redirect the request to login.example.com
4.) login.example.com sends back HTTP 401 to require authentication
5.) The client returns the request with the Authorization header and login.example.com uses HTTP 302 to redirect the request back to repo.example.com with the proper Authorization header and retrieve the artifact.
We define the repository in settings.xml with a url of https://maven.example.com. The problem we are running into is that the Maven HTTP Wagon code is setting the AuthScope based on the Repository URL's host (and port, if supplied).
Credentials creds = new UsernamePasswordCredentials( username, password ); String host = getRepository().getHost(); int port = getRepository().getPort() > -1 ? getRepository().getPort() : AuthScope.ANY_PORT; credentialsProvider.setCredentials( new AuthScope( host, port ), creds );As such, the AuthScope is created with "maven.example.com" and "-1" (i.e., AuthScope.ANY_PORT). This causes the Authorization header to not be returned in response to the HTTP 401 challenge and Maven simply moves on to try to retrieve the artifact from Maven Central (but the artifact isn't there).
From reading the code, there doesn't appear to be any way of telling Maven to set the AuthScope realm to a value that we specify (and the AuthScope host to AuthScope.ANY_HOST). Are we missing something obvious or, as we believe, do we need to enhance Maven to support this type of configuration?
We are submitting a patch that provides customization of AuthScope fields via wagon settings. Allows AuthScope host and port to differ from the associated repository host and port if needed. Value of "ANY" permits more flexible AuthScope.
An example configuration snippet, providing AuthScope of any host, any port and specific realm would look like:
<server> <id>server-id</id> <username>user</username> <password>password</password> <configuration> <basicAuthScope> <host>ANY</host> <port>ANY</port> <realm>My Realm</realm> </basicAuthScope> <httpConfiguration> <all> <params> <property> <name>http.protocol.max-redirects</name> <value>%i,20</value> </property> <property> <name>http.protocol.allow-circular-redirects</name> <value>%b,true</value> </property> </params> </all> </httpConfiguration> </configuration> </server>
The feature also allows for the same AuthScope overrides for proxy Basic auth using the <proxyBasicAuthScope> element..
Attachments
Attachments
Issue Links
- relates to
-
WAGON-425 write documentation for HTTP auth configuration
- Open