Using an Artifactory Access Token as a "Authorization: Bearer accessToken", or encoded username credentials as "Authorization: Basic base64EncodedCreds" authenticate against Artifactory in-order to download artifacts with S3 Direct Cloud storage enabled download will result in 400 Bad Request from Amazon's S3 service due to supplement of more than one authentication types - Bearer/Basic is incorrectly forwarded to Amazon's S3 service from Artifactory.
- The reason seems to be related to the HTTP client version as it's actually the client's decision whether to re-send credentials after the redirection*
- Reproduces on Artifactory's K8S SaaS platform with curl 7.54.0.
- Does not reproduce after upgrading to curl above version curl 7.58.0 - https://curl.haxx.se/docs/CVE-2018-1000007.html
- Gradle fails on all versions (against maven repos)
- Relevant system property: artifactory.list.of.repos.allowed.send.redirect.url=Maven,Docker,Debian,Npm
Steps to reproduce:
1. Upload a file (above 1MB by default is required for redirection) to any of the enabled repositories: Maven, Npm, Debian, Docker
2. Generate a permissive access token:
Export it an enviroment variable to deal with string length:
Use the token to get the artifact:
Encode your credentials to base64 and send it with curl using -H explicitly:
3. Get the following response (after 302 redirection):