[RTFACT-10617] Having authentication in an artifact name causes 404 issues Created: 22/Jun/16  Updated: 14/Nov/17  Resolved: 19/Jul/16

Status: Resolved
Project: Artifactory Binary Repository
Component/s: Security
Affects Version/s: 4.7.1, 4.7.7
Fix Version/s: 4.10.0

Type: Bug Priority: High
Reporter: Damien Coraboeuf Assignee: Shay Bagants
Resolution: Fixed Votes: 0
Labels: None

Attachments: GIF File checkedauth.gif    

 Description   

Hi,

We are using Artifactory Pro 4.7.1, and we face the following and very weird issue.

Our Artifactory is set to ask always for authentication.

Each time we try to resolve a hosted artifact which has auth or authentication in its name, we get a HTTP 404 error instead of the expected HTTP 401 (which would then cause the client, Maven or Gradle, to issue the configured credentials).

For example, when asking:

curl -v http://host:8081/artifactory/TEST/com/xxx/ova/va-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom -X GET

we get the following traces on the server:

2016-06-22 15:25:09,540 [DENIED DOWNLOAD] c2p-thirdparty:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,540 [DENIED DOWNLOAD] c2p-application-local:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,540 [DENIED DOWNLOAD] c2p-forks:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-publication:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-copper:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-bronze:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,541 [DENIED DOWNLOAD] ova-silver:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] ova-gold:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] ova-platinum:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] c2p-build-local:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] mirror-maven-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] sonatype-releases-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] sonatype-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] vaadin-addons-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] mirror-jboss-public-repository-group-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,542 [DENIED DOWNLOAD] mirror-maven-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,543 [DENIED DOWNLOAD] sonatype-releases-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,543 [DENIED DOWNLOAD] sonatype-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,543 [DENIED DOWNLOAD] vaadin-addons-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
2016-06-22 15:25:09,543 [DENIED DOWNLOAD] mirror-jboss-public-repository-group-cache:com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom for anonymous/10.1.24.177.
20160622152509|7|REQUEST|10.1.24.177|anonymous|GET|/TEST/com/xxx/ova/ova-application-authentication/11.9.1-426742/ova-application-authentication-11.9.1-426742.pom|HTTP/1.1|404|0

When we do the same test for an artifact in the same repository but without authentication in its name:

curl -v http://host:8081/artifactory/TEST/com/xxx/ova/opf-client-api/1.0-426351/opf-client-api-1.0-426351.pom -X GET

we get the following traces, which are OK:

20160622152532|0|REQUEST|10.1.24.177|non_authenticated_user|GET|/TEST/com/xxx/ova/opf-client-api/1.0-426351/opf-client-api-1.0-426351.pom|HTTP/1.1|401|0

We are very worried with those logs because we see that:

  • in the failing case, the user is marked as being anonymous
  • whereas in the working case, it is marked as non_authenticated_user, which is obviously correct

Is it possible that the only fact that we have authentication in the URL is enough to make Artifactory shunt the authentication process?

Thanks for any help,
Damien Coraboeuf
FIS Clear2Pay Release Engineer Team Lead



 Comments   
Comment by Damien Coraboeuf [ 22/Jun/16 ]

Actually, it is enough to put auth anywhere in the URL to get the call authenticated as anonymous.

Comment by Damien Coraboeuf [ 22/Jun/16 ]

Note that this issue does exist if "Hide Existence of Unauthorized Resources" is checked in the general settings.

Comment by Damien Coraboeuf [ 23/Jun/16 ]

We have unchecked "Hide Existence of Unauthorized Resources" in the general security settings, but this has created more issues that it has solved.

We didn't have such issues with Artifactory 3.6, from which we upgraded a few month ago.

So for us, the issue remains and we do not have any other solution than to rename some artifacts without authentication in the name, which sounds of course a bit absurd.

Thanks for any help,
Damien.

Comment by Omar Faiz (Inactive) [ 07/Jul/16 ]

Reproduced. See attached gif.

Comment by Damien Coraboeuf [ 07/Jul/16 ]

Hi Omar,

That's very good news that you could reproduce the issue indeed. We were feeling a bit lonely

Any hint about a root cause?

Thanks,
Damien.

Generated at Tue Nov 19 23:17:07 UTC 2019 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.