Gradle 2.4 Breaks Authentication with Nexus from Maven Publish plugin

mecoru · May 26, 2015, 9:14pm

In versions up to 2.3 (we tested 2.1, 2.2, and 2.3) the authentication to our Sonatype Nexus (free version) works properly because Sonatype Nexus (free version) uses a very simple kind of authentication where the auth info is in the actual payload rather than in a header like an Auth header. Starting in Gradle 2.4 (verified with HttpAnalyzer trace), Gradle uses an Auth Header with Basic Auth. This breaks authentication to Sonatype Nexus (free version) because the free version doesn’t have all the authentication methods that the full pay-for version has. This is a major stopper for us as we do not use the Nexus full pay-for version. Can you provide an option with Gradle 2.4 and beyond that allows what worked in previous versions of Gradle with the Maven Publishing plugin? We are stuck at 2.3 for now. Thanks, Mike

luke_daley · May 26, 2015, 10:36pm

@daz @Adrian_Kelly any idea what the change on our side was that caused this?

Adrian_Kelly · May 27, 2015, 12:59am

The maven publish plugin was changed to use internal resource connectors, namely org.gradle.internal.resource.transfer.ExternalResourceConnector and org.gradle.internal.resource.transport.http.HttpConnectorFactory, to carry out the transport of artifacts over HTTP(S). Prior to this, the maven-publish plugin was using one of the maven wagons (LightweightHttpWagon) provided by maven-ant-tasks.

It’s likely that the underlying HttpClient is not configured to use the authentication type mentioned above.

@mecoru which version of nexus are you using?

mecoru · May 27, 2015, 2:51pm

I’ve found a workaround. In Nexus OSS, you can create a userid (rather than using the default anonymous userid) and set it up with the right privs. Then it will take the new Basic Auth header that Gradle 2.4 started sending out. At one point, this capability was restricted to the pay-for version but now the OSS has some simple auth methods including basic and LDAP. Pay-for adds more but OSS version has enough.

The anonymous userid has an anonymous role that actually overrides others and also turns off the ability to respond to basic auth.

I’d recommend this as some kind of documentation fix for Gradle rather than a code change. The docs should mention that as of Gradle 2.4, the Maven Publishing plugin sends out a Basic Auth header and you should create an official userid in Nexus OSS to handle that.

Thanks,

Mike