从 Maven 到 Artifactory 的经过身份验证的 HEAD 调用

Authenticated HEAD call from Maven to Artifactory

我最近在我的 Artifactory 实例上激活了安全性,这导致了几个问题。一个仍然存在,看起来有点奇怪:

Maven 使用 HTTP HEAD 检查是否部署了新的 SNAPSHOT。 但是,当启用安全性时,第一次调用是在没有身份验证的情况下完成的 header,导致来自 Artifactory 的 401 响应。

Maven 然后应该使用身份验证执行相同的调用 header。 maven-metadata.xml 文件就是这种情况。

但对于 .pom 和 .jar 文件,请求不是 re-attempted,如下面的日志所示:

20150303104244|3|REQUEST|xxx.xxx.xxx.xxx|non_authenticated_user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml|HTTP/1.1|401|0
20150303104244|12|REQUEST|xxx.xxx.xxx.xxx|user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml|HTTP/1.1|200|322
20150303104244|40|REQUEST|xxx.xxx.xxx.xxx|user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml.sha1|HTTP/1.1|200|40
20150303104244|4|REQUEST|xxx.xxx.xxx.xxx|user|GET|/libs-snapshot-local/mycompany/common/common-config/1.0.4-SNAPSHOT/maven-metadata.xml.md5|HTTP/1.1|200|32
20150303104245|2|REQUEST|xxx.xxx.xxx.xxx|non_authenticated_user|HEAD|/libs-snapshot-local/mycompany/myproject/myproject-interface/2.0.0-SNAPSHOT/myproject-interface-2.0.0-SNAPSHOT.jar|HTTP/1.1|401|0
20150303104245|2|REQUEST|xxx.xxx.xxx.xxx|non_authenticated_user|HEAD|/libs-snapshot-local/mycompany/myproject/myproject-interface/2.0.0-SNAPSHOT/myproject-interface-2.0.0-SNAPSHOT.jar|HTTP/1.1|401|0

如前所述,maven-metadata.xml 文件下载是使用用户凭据重新尝试的,但是 myproject-interface-2.0.0-SNAPSHOT.jar 不是。

我尝试为该服务器启用抢先身份验证,但我找不到 Maven 行为的任何变化:

    <server>
        <id>snapshot</id>
        <username>user</username>
        <password>xxx</password>
        <configuration>
            <httpConfiguration>
                <all>
                    <usePreemptive>true</usePreemptive>
                    <params>
                        <property>
                            <name>http.authentication.preemptive</name>
                            <value>%b,true</value>
                        </property>
                    </params>
                </all>
            </httpConfiguration>
        </configuration>
    </server>

这仅涉及现有 SNAPSHOT 的更新,因为下载新工件是使用包含身份验证 header 的 HTTP GET 完成的(至少重试一次)。这仍然会阻止正确使用 SNAPSHOT 工件。

我正在使用 Maven 3.2.1 和 Artifactory 3.4.2。

这与 Artifactory 快照存储库中“Maven 快照版本行为”选项的使用有关。

here所述,Maven 3 不再支持此选项。

Maven 3 Only Supports Unique Snapshots

Maven 3 has dropped support for resolving and deploying non-unique snapshots. Therefore, if you have a snapshot repository using non-unique snapshots, we recommend that youchange your Maven snapshot policy to 'Unique' and remove any previously deployed snapshots from this repository. The unique snapshot name generated by the Maven client on deployment cannot help in identifying the source control changes from which the snapshot was built and has no relation to the time sources were checked out. Therefore,we recommend that the artifact itself should embed the revision/tag (as part of its name or internally) for clear and visible revision tracking. Artifactory allows you to tag artifacts with the revision number as part of its Build Integration support.

切换到 Unique 解决了这个问题。

对于希望默认启用抢先身份验证的任何其他人:

The documentation for this setting on the main Maven site is wrong. I spent a while tracking it down but ultimately found the answer on an open bug ticket 我在下面转载了它。这适用于 OS X.

上的 Maven 3.1.1
<servers>
 <server>
  <id>serverid</id>
  <username>myuser</username>
  <password>mypassword</password>
  <configuration>
   <wagonProvider>httpclient</wagonProvider>
   <httpConfiguration>
    <all>
     <usePreemptive>true</usePreemptive>
    </all>
   </httpConfiguration>
  </configuration>
 </server>
</servers>