Authenticated HEAD call from Maven to Artifactory

Question

I recently activated security on my Artifactory instance which cause several issue. One remains and seems a bit strange:

Maven use HTTP HEAD to check if a new SNAPSHOT has been deployed. However, when security is enabled, the first call is done without authentication header, resulting in a 401 Response from Artifactory.

Maven is then supposed to perform the same call with an authentication header. This is the case for maven-metadata.xml files.

But for .pom and .jar files, the request is not re-attempted as shown in the log below:

20150303104244|3|REQUEST|xxx.xxx.xxx.xxx|non_authenticated_user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml|HTTP/1.1|401|0
20150303104244|12|REQUEST|xxx.xxx.xxx.xxx|user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml|HTTP/1.1|200|322
20150303104244|40|REQUEST|xxx.xxx.xxx.xxx|user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml.sha1|HTTP/1.1|200|40
20150303104244|4|REQUEST|xxx.xxx.xxx.xxx|user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml.md5|HTTP/1.1|200|32
20150303104245|2|REQUEST|xxx.xxx.xxx.xxx|non_authenticated_user|HEAD|/libs-snapshot-local/mycompany/myproject/myproject-interface/2.0.0-SNAPSHOT/myproject-interface-2.0.0-SNAPSHOT.jar|HTTP/1.1|401|0
20150303104245|2|REQUEST|xxx.xxx.xxx.xxx|non_authenticated_user|HEAD|/libs-snapshot-local/mycompany/myproject/myproject-interface/2.0.0-SNAPSHOT/myproject-interface-2.0.0-SNAPSHOT.jar|HTTP/1.1|401|0

As explained the maven-metadata.xml file download is reattempted with user credentials but the myproject-interface-2.0.0-SNAPSHOT.jar is not.

I tried to enable the preemtive authentication for that server but I could not find any change in Maven behaviour :

    <server>
        <id>snapshot</id>
        <username>user</username>
        <password>xxx</password>
        <configuration>
            <httpConfiguration>
                <all>
                    <usePreemptive>true</usePreemptive>
                    <params>
                        <property>
                            <name>http.authentication.preemptive</name>
                            <value>%b,true</value>
                        </property>
                    </params>
                </all>
            </httpConfiguration>
        </configuration>
    </server>

This only concerns the update of existing SNAPSHOT as downloading new artifacts is done with HTTP GET with contains the autentication header (at least with a retry). This still prevents a correct usage of SNAPSHOT artifacts.

I am using Maven 3.2.1 and Artifactory 3.4.2.

Answer 1

For anyone else who lands here hoping to enable preemptive authentication by default:

The documentation for this setting on the main Maven site is wrong. I spent a while tracking it down but ultimately found the answer on an open bug ticket which I've reproduced below. This worked for Maven 3.1.1 on OS X.

<servers>
 <server>
  <id>serverid</id>
  <username>myuser</username>
  <password>mypassword</password>
  <configuration>
   <wagonProvider>httpclient</wagonProvider>
   <httpConfiguration>
    <all>
     <usePreemptive>true</usePreemptive>
    </all>
   </httpConfiguration>
  </configuration>
 </server>
</servers>

Answer 2

This was related to the usage of the "Maven Snapshot Version Behavior" option in the Artifactory snapshot repository.

As explained here, this option is not supported by Maven 3 anymore.

Maven 3 Only Supports Unique Snapshots

Maven 3 has dropped support for resolving and deploying non-unique snapshots. Therefore, if you have a snapshot repository using non-unique snapshots, we recommend that youchange your Maven snapshot policy to 'Unique' and remove any previously deployed snapshots from this repository. The unique snapshot name generated by the Maven client on deployment cannot help in identifying the source control changes from which the snapshot was built and has no relation to the time sources were checked out. Therefore,we recommend that the artifact itself should embed the revision/tag (as part of its name or internally) for clear and visible revision tracking. Artifactory allows you to tag artifacts with the revision number as part of its Build Integration support.

Switching to Unique solved this issue.