[RTFACT-17708] Artifactory returns 401 unauthorized message instead of 403 when artifact is being blocked by Xray - JFrog JIRA

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: 6.4.1
Fix Version/s: 7.0.0, 6.17.0
Component/s: None
Labels:
- QF
- QF-P1
- UGA

Sprint:
Pam - Quality 2, Pam - Quality 7

Description

When anonymous user tries to download a file that is blocked by Xray, he will get 401 Unauthorized instead of 403 and a message that it is being blocked by Xray ("due to the download blocking policy configured in Xray").

Steps to reproduce:

Configure Artifactory and Xray
Create a policy with block artifacts and a watch on a remote repository (e.g jcenter).
Create a pom.xml to download an artifact with a known vulnerability, I used for example the following dependency:

<groupId>struts</groupId>

<artifactId>struts</artifactId>

</dependency>

4. Download the artifact, and check that it was blocked by Xray via Artifactory.

5. Check that the anonymous has permissions to download.

You will get 401 with the anonymous and 403 for none-anonymous user, its disturbing because users will get confused by the reason they are not being able to download an artifact.

Attachments

Issue Links

is duplicated by

RTFACT-19749 pip install for an anonymous user asks for credentials

Open

Activity

People

Assignee:

Omri Ziv

Reporter:

Shai Ben-Zvi

Assigned QA:

Rotem Kfir

Votes:

4 Vote for this issue

Watchers:

10 Start watching this issue

Dates

Created:

25/Oct/18 8:21 AM

Updated:

12/Jan/20 3:58 PM

Resolved:

05/Jan/20 1:32 PM