When anonymous user tries to download a file that is blocked by Xray, he will get 401 Unauthorized instead of 403 and a message that it is being blocked by Xray ("due to the download blocking policy configured in Xray").
Steps to reproduce:
- Configure Artifactory and Xray
- Create a policy with block artifacts and a watch on a remote repository (e.g jcenter).
- Create a pom.xml to download an artifact with a known vulnerability, I used for example the following dependency:
<dependency>
<groupId>struts</groupId>
<artifactId>struts</artifactId>
<version>1.2.9</version>
</dependency>
4. Download the artifact, and check that it was blocked by Xray via Artifactory.
5. Check that the anonymous has permissions to download.
You will get 401 with the anonymous and 403 for none-anonymous user, its disturbing because users will get confused by the reason they are not being able to download an artifact.
- is duplicated by
-
RTFACT-19749 pip install for an anonymous user asks for credentials
- Open