Affects Version/s: 7.27.10
Fix Version/s: None
Virtual Repositories are designed to be used as combination of several local repositories. This means when using a virtual repository, you have access to all artifacts of the local repositories associated to this virtual repository - as long as you have access to the local repository.
Artifactory offers the advantage to implement anonymous access to repositories. This means it is not necessary to log in to artifactory to get access to the artifacts of this repository. This makes sense, e.g. when have a so called mirror repository of artifacts of the internet, where everyone should have easy access to. So called public repositories.
In addition artifactory offers the possibility to implement access restrictions to repositories where not everybody should have access to. So called private repositories.
Now it is possible to aggregate both types of repositories (public + private) to a virtual repository that it is much more easier to access both repository.
The suggestion is now that when accessing this virtual repository without credentials, the result will be a list of public artifacts.
When accessing the virtual repository with credentials, the result will be a list of public and private artifacts.
This is not working for NuGet at all.
When associating a private repository (which needs to have enabled "Force Authentication" to work with NuGet) to a virtual repository, the virtual repository needs the option "Force Authentication" activated, too. Otherwise it is not possible to get private Artifacts through a virtual repository.
This means that it is necessary to always login when requesting packages through NuGet.
When you now connect a public repository to this virtual repository, you need to activate authentication forcing, too.
This makes public repositories to private repositories and you don't have any public artifacts anymore as everyone needs to have an artifactory account and needs to be in the group of the public artifacts (which are now private)
Impact: Unable to resolve these artifacts when hitting this virtual.
Expected Behavior: if you access the virtual anonymously, you should still be able to retrieve the public packages available within the public repository. If you access the virtual with credentials, you should be able to resolve the public and private artifacts.
Steps to reproduce: create 2 local repositories, one with anonymous access and one that requires Artifactory access. Add both these to a virtual. Force authentication on this virtual and the anonymous requests will always return 401 even to the artifacts the anonymous user has access to. If we uncheck Force Authentication, having the credentials in the nuget.config will still not be used and return a 404.
Environment Details: Artifactory 7.27.10, mysql, standalone, on-prem