Issue #7101 invalid

BUG: accessing private reposotory with Maven without authentication!

Anonymous created an issue

hi, a few days ago I started to use Bitbucket.org; my bitbucket account is "nimblebit".

So I have tried to use Bitbucket.org as repository SCM and as remote repository to hold custom Maven artifacts and dependencies.

I noticed a bug ... I have created a repository PRIVATE "m2_repo" and filled with a test library dependency "test-api" and I run my pom.xml (see below).

I am able to download the contents of my private repository without authentication ... also my colleague, who NOT has an account on bitbucket, he is also able to download the contents of my private repository without authentication!!

Below pom.xml I use!

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>it.fastbookspa.test</groupId>
  <artifactId>test-app</artifactId>
  <version>1.0-SNAPSHOT</version>
  <packaging>war</packaging>

  <name>test-app Maven Webapp</name>
  <url>http://maven.apache.org</url>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <!--
        SAME PROBLEM: ANONYMOUS ACCESS
        <m2_repo.path>https://bitbucket.org/nimblebit/m2_repo/raw/master</m2_repo.path>
        -->

    <m2_repo.path>https://bitbucket.org/nimblebit/m2_repo/raw</m2_repo.path>
  </properties>

  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>3.8.1</version>
      <scope>test</scope>
    </dependency>

   <dependency>
      <groupId>it.fastbookspa.test</groupId>
      <artifactId>test-api</artifactId>
      <version>1.0-SNAPSHOT</version>
    </dependency>
 </dependencies>

<repositories>
    <repository>
        <id>m2_repo_snapshots</id>
        <name>m2_repo snapshots</name>
        <url>${m2_repo.path}/snapshots</url>
        <releases>
            <enabled>false</enabled>
            <updatePolicy>always</updatePolicy>
            <!--
            <checksumPolicy>warn</checksumPolicy>
            -->
        </releases>
        <snapshots>
            <enabled>true</enabled>
            <updatePolicy>never</updatePolicy>
            <!--
            <checksumPolicy>fail</checksumPolicy>
            -->
        </snapshots>
        <layout>default</layout>
    </repository>
    <repository>
        <id>m2_repo_releases</id>
        <name>m2_repo releases</name>
        <url>${m2_repo.path}/releases</url>
        <releases>
            <enabled>true</enabled>
            <updatePolicy>always</updatePolicy>
            <!--
            <checksumPolicy>fail</checksumPolicy>
            -->
        </releases>
        <snapshots>
            <enabled>false</enabled>
            <updatePolicy>always</updatePolicy>
            <!--
            <checksumPolicy>warn</checksumPolicy>
            -->
        </snapshots>
        <layout>default</layout>
    </repository>
</repositories>

  <build>
    <finalName>test-app</finalName>
  </build>
</project>

Best regards

Orazio Message 1 of 2

Comments (10)

  1. Nicolas Venegas

    Hi

    I can't seem to reproduce the problem on your repository by trying to access a file by its URL directly through curl (I get a 401 UNAUTHORIZED response).

    Does it only happen through maven? Are there some commands you could supply me with so that I can try to reproduce in the same manner you are able to access the repository, please?

    Cheers

    Nicolas

  2. Anonymous

    hi there is no problems with curl or wget or browser ... it only happen through maven!

    to reproduce the bug follow these steps:

    1. install maven (ia the current version is 3.0.5 Apache Maven);
    2. create a web project ... eg org.apache.maven.archetypes:maven-archetype-webapp (An archetype which contains a sample Maven Webapp project.) ;
    3. add to pom.xml:
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
            <!--
            SAME PROBLEM: ANONYMOUS ACCESS
              <m2_repo.path>https://bitbucket.org/nimblebit/m2_repo/raw/master</m2_repo.path>
            -->
    
        <m2_repo.path>https://bitbucket.org/nimblebit/m2_repo/raw</m2_repo.path>
      </properties>
    
    <dependencies>
    ...
       <dependency>
          <groupId>it.fastbookspa.test</groupId>
          <artifactId>test-api</artifactId>
          <version>1.0-SNAPSHOT</version>
        </dependency>
    ...
    
    <repositories>
        <repository>
            <id>m2_repo_snapshots</id>
            <name>m2_repo snapshots</name>
            <url>${m2_repo.path}/snapshots</url>
            <releases>
                <enabled>false</enabled>
                <updatePolicy>always</updatePolicy>
                <!--
                <checksumPolicy>warn</checksumPolicy>
                -->
            </releases>
            <snapshots>
                <enabled>true</enabled>
                <updatePolicy>never</updatePolicy>
                <!--
                <checksumPolicy>fail</checksumPolicy>
                -->
            </snapshots>
            <layout>default</layout>
        </repository>
        <repository>
            <id>m2_repo_releases</id>
            <name>m2_repo releases</name>
            <url>${m2_repo.path}/releases</url>
            <releases>
                <enabled>true</enabled>
                <updatePolicy>always</updatePolicy>
                <!--
                <checksumPolicy>fail</checksumPolicy>
                -->
            </releases>
            <snapshots>
                <enabled>false</enabled>
                <updatePolicy>always</updatePolicy>
                <!--
                <checksumPolicy>warn</checksumPolicy>
                -->
            </snapshots>
            <layout>default</layout>
        </repository>
    </repositories>
    

    saves and simply execute

    mvn compile
    

    As you can see from the log of maven, maven download test-api dependency ... and if you check the local repository:

    $ {user.home} / .m2/repository
    

    you will find the folder:

    it/fastbookspa/test/test-api/1.0-SNAPSHOT
    

    within which there are all file of the test-api dependency that they were on the my PRIVATE repository of Bitbucket (m2_repo) ... all this without having done no authentication!

    Regards

    Orazio

  3. Brodie Rao staff

    I've looked through our server logs. Every single request against the URL you mentioned by Maven clients was denied. Though to be more specific, Bitbucket replies with 302 Found and redirected Maven to the log in page (which it also downloaded).

    Can you check the actual contents of the files it downloaded from Bitbucket? I suspect you'll see that they contain the HTML for our log in page.

  4. Anonymous

    you're right! the actual contents of the downloaded files (xml, pom, jar) is html with log in page. Sorry!

    Now, my asking is:

    1. it's possible to use private bitbucket repository as maven repository dependence?
    2. if yes, how do I log in to my private bitbucket repository through maven and download dependence?

    Regards

    Orazio

  5. Brodie Rao staff

    I'm unfortunately not familiar enough with Maven to give you a definitive solution, but I think what you're trying to do should work if you can get Maven to do HTTP basic/digest authentication.

    This Stack Overflow post suggests doing the following:

    <server>  
      <id>Artifactory</id>
      <username>someArtifactoryUser</username>
      <password>someArtifactoryPassword</password>
      <configuration>  
        <authenticationInfo>
          <userName>auth-user</userName>
          <password>auth-pass</password>
        </authenticationInfo>
      </configuration>  
    </server>
    
  6. Log in to comment