Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-10617

Having authentication in an artifact name causes 404 issues

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 4.7.1, 4.7.7
    • Fix Version/s: 4.10.0
    • Component/s: Security
    • Labels:
      None

      Description

      Hi,

      We are using Artifactory Pro 4.7.1, and we face the following and very weird issue.

      Our Artifactory is set to ask always for authentication.

      Each time we try to resolve a hosted artifact which has auth or authentication in its name, we get a HTTP 404 error instead of the expected HTTP 401 (which would then cause the client, Maven or Gradle, to issue the configured credentials).

      For example, when asking:

      curl -v http://host:8081/artifactory/TEST/com/xxx/ova/va-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom -X GET
      

      we get the following traces on the server:

      2016-06-22 15:25:09,540 [DENIED DOWNLOAD] c2p-thirdparty:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,540 [DENIED DOWNLOAD] c2p-application-local:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,540 [DENIED DOWNLOAD] c2p-forks:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-publication:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-copper:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-bronze:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-silver:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] ova-gold:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] ova-platinum:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] c2p-build-local:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] mirror-maven-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] sonatype-releases-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] sonatype-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] vaadin-addons-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] mirror-jboss-public-repository-group-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,542 [DENIED DOWNLOAD] mirror-maven-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,543 [DENIED DOWNLOAD] sonatype-releases-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,543 [DENIED DOWNLOAD] sonatype-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,543 [DENIED DOWNLOAD] vaadin-addons-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      2016-06-22 15:25:09,543 [DENIED DOWNLOAD] mirror-jboss-public-repository-group-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
      20160622152509|7|REQUEST|10.1.24.177|anonymous|GET|/TEST/com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom|HTTP/1.1|404|0
      

      When we do the same test for an artifact in the same repository but without authentication in its name:

      curl -v http://host:8081/artifactory/TEST/com/xxx/ova/opf-client-api/1.0-426351/opf-client-api-1.0-426351.pom -X GET
      

      we get the following traces, which are OK:

      20160622152532|0|REQUEST|10.1.24.177|non_authenticated_user|GET|/TEST/com/xxx/ova/opf-client-api/1.0-426351/opf-client-api-1.0-426351.pom|HTTP/1.1|401|0
      

      We are very worried with those logs because we see that:

      • in the failing case, the user is marked as being anonymous
      • whereas in the working case, it is marked as non_authenticated_user, which is obviously correct

      Is it possible that the only fact that we have authentication in the URL is enough to make Artifactory shunt the authentication process?

      Thanks for any help,
      Damien Coraboeuf
      FIS Clear2Pay Release Engineer Team Lead

        Attachments

          Activity

            People

            • Assignee:
              shayb Shay Bagants
              Reporter:
              dcoraboeuf Damien Coraboeuf
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: