[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brett Porter updated MRM-1181:
------------------------------

Fix Version/s: 1.3

I agree, 404 should be the correct behaviour

[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maria Odea Ching updated MRM-1181:
----------------------------------

Fix Version/s: (was: 1.3)
1.3.1

[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=208144#action_208144 ]

Stefan Seifert commented on MRM-1181:
-------------------------------------

we need a fix for this issue - too.

it prevents download source attachments for our projects and results in blacklisting the archiva repository in the maven client - e.g.:
{noformat}
[INFO] Scanning for projects...
[INFO] snapshot de.xxx.dfra:de.xxx.dfra.parent_toplevel:0.5.0-SNAPSHOT: checking for updates from pvtool.repository
[WARNING] repository metadata for: 'snapshot de.xxx.dfra:de.xxx.dfra.parent_toplevel:0.5.0-SNAPSHOT'
could not be retrieved from repository: pvtool.repository due to an error:
Authorization failed: Access denied to: https://xxx/archiva/repository/default/de/xxx
/dfra/de.xxx.dfra.parent_toplevel/0.5.0-SNAPSHOT/maven-metadata.xml
[INFO] Repository 'pvtool.repository' will be blacklisted
{noformat}

[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=208145#action_208145 ]

Stefan Seifert commented on MRM-1181:
-------------------------------------

btw. this problem did not exist in apache archiva 1.1.x.
it exists in archiva 1.2 and 1.3 as well.

[ http://jira.codehaus.org/browse/MRM-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=249578#action_249578 ]

Wendy Smoak commented on MRM-1181:
----------------------------------

I can reproduce this in 1.3. For me it happens when a repository the user does _not_ have access to contains the full or partial groupId path.

For example:

imbrium:Downloads wsmoak$ wget --user=build --password=bu1Ld http://localhost:8765/archiva/repository/all/com/example/doesnotexist/1.0-SNAPSHOT/maven-metadata.xml
--2010-12-23 13:05:57-- http://localhost:8765/archiva/repository/all/com/example/doesnotexist/1.0-SNAPSHOT/maven-metadata.xml
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8765... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to localhost:8765.
HTTP request sent, awaiting response... 401 Unauthorized
Authorization failed.

will happen if
- the 'all' repo group contains internal, snapshots, and another
- the 'build' user does not have access to the 'another' repository
- the 'another' repository has, at minimum, a 'com' subdirectory. It could have com/example or even contain other artifacts in the com.example group or below.

The fact that Archiva says 401 when the artifact is nowhere in any of its repositories causes confusing results as Maven blacklists the repo and reports a bunch of *other* artifacts missing (that really are present.)

The only time I would think the 401 is appropriate is if the 'another' repository actually contained the artifact being requested. And even then I'm not sure it's worth being technically correct when it's going to cause Maven to blacklist the repo and not be able to retrieve other things that the user may be authorized to see.