Gradle 1.9 cannot access artifactory repository that is protected by Basic Authentication

In short: it looks like that gradle does not do pre-emptive basic authentication if it is doing get requests (see HttpClientConfigurer.java)

Artifactory does not challenge the client, if a directory listing is requested (prolly for security reasons). Instead it reports an empty directory if you are not properly authenticate. If I would request a fixed version number, I get a challenge and resolving does work. Because of this, dynamic versions cannot be resolved using gradle and a protected artifactory repository!

Here is my build file for testing this:

group = ‘de.enterprise.project’

def artifactoryRepoBase = ‘http://aisrepo.enterprise.com/artifactory’

repositories {

ivy {

credentials {

username “myUser”

password “password”

}

url artifactoryRepoBase + ‘/b2b-gradle-internal’

layout “pattern”, {

artifact ‘[organization]/[module]/[revision]/[module]-revision.[ext]’

ivy ‘[organization]/[module]/ivy-[revision].xml’

}

}

}

apply plugin: ‘java’

dependencies {

compile group: ‘de.enterprise.project.info’, name: ‘info’, version: “3.5.+” // does not work, gets empty dir

// compile group: ‘de.enterprise.project.info’, name: ‘info’, version: “3.5.0-20131127155348” // does work, but is fixed

}

(sorry, couldn’t figure out how the heck you are creating these code blocks). A simple help button at the editor would be nice…

This is a serious problem for us. We absolutely have to protect our internal artifactory repository (company has over 300.000 employees that can access the intranet). And we really need the dynamic versions for our multi-project platform.

Is there a way to enforce pre-emptive authentication for all kind of requests for repositories where credentials are available? Or can I configure artifactory to always challenge for certain repositories? I haven’t found this option yet.

I am on gradle 1.9 and artifactory 3.0.4

Any help will be appreciated

Andreas

Code block are created with HTML code tags.

So what you are saying is that basic auth doesn’t work together with dynamic versions? (The title of your post suggests that it doesn’t work at all.) Have you tried with Gradle 1.7/1.8?

Gosh, you are fast.

Yes, you are right, the title is misleading. Gradle can access resources with fixed version numbers. At least if artifactory is not configured to hide these resources (there is an option for this in artifactory to hide resources if they are protected and no pre-emptive credentials are supplied. If this option is off, artifactory will challenge the client to authenticate. If it is turned on, artifactory reports “404 not found” instead of “401 Unauthorized” in case of no pre-emptive credentials).

So what I am reporting is, that dynamic Versions cannot be resolved with protected repositories in artifactory. This is, because Gradle does a GET request on the parent directory to get a list of the ivy-*.xml resources. This GET request will be without pre-emptive credentials and will therefore result in an empty directory.

I guess maven SNAPSHOT style versions will work, because it does not involve a directory scanning. But ivy and gradle style repositories will not work, because they involve directory scanning.

I will checkout gradle 1.7 and 1.8 tomorrow at work and will report tomorrow.

I can confirm, that this bug exists down to gradle 1.3 (haven’t tested further down).

Because gradle is sharing http connections, the workaround would be not to use a dynamic dependency as the first dependency. If gradle goes for a fixed version as the first dependency, artifactory challenges the client correctly and after that, the dynamic version is resolved correctly. I guess that’s the reason why nobody found this bug yet.

Still this is pretty unpredictable behaviour. I really would like to have a flag in the repository configuration to enforce pre-emptive authentication for a repository.

Thanks for the thorough investigation. Raised GRADLE-2968.