Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-17708

Artifactory returns 401 unauthorized message instead of 403 when artifact is being blocked by Xray

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 6.4.1
    • Fix Version/s: 7.0.0, 6.17.0
    • Component/s: None
    • Labels:
    • Sprint:
      Pam - Quality 2, Pam - Quality 7

      Description

      When anonymous user tries to download a file that is blocked by Xray, he will get 401 Unauthorized instead of 403 and a message that it is being blocked by Xray ("due to the download blocking policy configured in Xray").

      Steps to reproduce:

      1. Configure Artifactory and Xray
      2. Create a policy with block artifacts and a watch on a remote repository (e.g jcenter).
      3. Create a pom.xml to download an artifact with a known vulnerability, I used for example the following dependency:

      <dependency>

      <groupId>struts</groupId>

      <artifactId>struts</artifactId>

      <version>1.2.9</version>

      </dependency>

       

            4. Download the artifact, and check that it was blocked by Xray via Artifactory.

            5. Check that the anonymous has permissions to download.

      You will get 401 with the anonymous and 403 for none-anonymous user, its disturbing because users will get confused by the reason they are not being able to download an artifact.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                omriz Omri Ziv
                Reporter:
                shaibz Shai Ben-Zvi
                Assigned QA:
                Rotem Kfir
              • Votes:
                4 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: