I have problem with XRay and NuGet feed. For example I have project that depends on System.Data.SqlClient 4.1.0 that isn't blocked by XRay, but it's has dependency to System.Net.Security (>= 4.0.0) which is blocked by XRay.
When I try to restore packages using Artifactory, the Nuget asks API for available packages, then it picks correct package (with lowest compatible version by default) and tries to download it. Download is interrupted with 403 Unauthorized error and credentials popup window.
Example API cals:
https://example.com/artifactory/api/nuget/nuget-org/FindPackagesById()?id=%27System.Net.Security%27
https://example.com/artifactory/api/nuget/nuget-org/Download/System.Net.Security/4.0.0
I see two problems here:
First, if package is blocked by XRay then why it's listed in feed. If package will be not listed in feed then NuGet download next available package (for example not 4.0.0 but 4.0.1)
Second, if NuGet receives HTTP 403 response then it sends user popup to enter credentials to feed.
HTTP 403 is a standard HTTP status code communicated to clients by an HTTP server to indicate that the server understood the request, BUT WILL NOT FULFILL IT FOR SOME REASON RELATED TO AUTHORIZATION. ~ https://en.wikipedia.org/wiki/HTTP_403
Is there any option to change this behavior in settings so that Artifactory won't show blocked packages in NuGet feed?
