Skip to content

Fall back to anonymous JAR download on 4xx when Maven credentials are rejected#8158

Merged
Jammy-Louie merged 2 commits into
mainfrom
maven-jar-auth-anonymous-fallback
Jul 2, 2026
Merged

Fall back to anonymous JAR download on 4xx when Maven credentials are rejected#8158
Jammy-Louie merged 2 commits into
mainfrom
maven-jar-auth-anonymous-fallback

Conversation

@Jammy-Louie

@Jammy-Louie Jammy-Louie commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

  • MavenArtifactDownloader now retries the JAR download anonymously when settings.xml credentials are rejected by the remote repository (4xx), mirroring MavenPomDownloader.requestAsAuthenticatedOrAnonymous(). Credentials are applied first, so existing authenticated downloads against private repositories are unchanged and the anonymous attempt is only a fallback.

  • Fix LocalMavenArtifactCache cache filename missing the hyphen before the classifier (foo-1.0.0recipes.jarfoo-1.0.0-recipes.jar).

  • Include the classifier in the MavenDownloadingException message so artifact coordinates are complete during troubleshooting.

  • Split from the first commit of Try Maven downloads anonymously first, retry with credentials on 4xx #7447, to land this with minimal risk to existing behavior. A follow-up PR will mirror Apache Maven's anonymous-first behavior.

Test plan

  • fallsBackToAnonymousWhenServerReturns401
  • fallsBackToAnonymousWhenCredentialsRejected
  • downloadDependencies / downloadDependenciesWithClassifier

When Maven settings.xml credentials are rejected by the remote
repository (401/403), retry the JAR download without authentication.
Mirrors `MavenPomDownloader.requestAsAuthenticatedOrAnonymous()` and
Apache Maven's behavior, so anonymous-accessible artifacts resolve
even when configured credentials are invalid.

Also fixes two nits observed during troubleshooting:
- local cache filename was missing the hyphen before the classifier
  (`foo-1.0.0recipes.jar` → `foo-1.0.0-recipes.jar`)
- download error message omitted the classifier
Only retry a rejected authenticated JAR download anonymously when the
response is a genuine credential rejection, not a transient client error
(408 timeout, 425 too early, 429 too many requests). Mirrors
MavenPomDownloader.HttpSenderResponseException#isClientSideException().

Also treats configured HTTP-header auth as authentication when deciding
whether an anonymous retry is worthwhile.

@timtebeek timtebeek left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for diving in! I like the idea of splitting up the complexity to land this smaller part first. I've gone ahead and closed my earlier effort already.

Looking over your changes I've applied a few small fixes:

  • do not retry for 408 timeouts, 425 or 429 rejected requests
  • also retry anonymously when only header auth is present
  • swap the evaluation order to check the int response code before the more complex authentication

Let me know if you agree with these changes, and whether you had any further plans before marking this as ready for review or merging.

Approved to merge from my side.

@github-project-automation github-project-automation Bot moved this from In Progress to Ready to Review in OpenRewrite Jul 2, 2026
@timtebeek timtebeek added the enhancement New feature or request label Jul 2, 2026
@Jammy-Louie Jammy-Louie marked this pull request as ready for review July 2, 2026 14:20
@Jammy-Louie

Copy link
Copy Markdown
Contributor Author

Changes LGTM

@Jammy-Louie Jammy-Louie merged commit 23cdd71 into main Jul 2, 2026
1 check passed
@Jammy-Louie Jammy-Louie deleted the maven-jar-auth-anonymous-fallback branch July 2, 2026 14:57
@github-project-automation github-project-automation Bot moved this from Ready to Review to Done in OpenRewrite Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

2 participants