Skip to content

Match Apache Maven's anonymous-first authentication for POM and JAR downloads#8169

Draft
Jammy-Louie wants to merge 2 commits into
mainfrom
maven-anonymous-first-auth
Draft

Match Apache Maven's anonymous-first authentication for POM and JAR downloads#8169
Jammy-Louie wants to merge 2 commits into
mainfrom
maven-anonymous-first-auth

Conversation

@Jammy-Louie

@Jammy-Louie Jammy-Louie commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  1. Anonymous-first requests. MavenPomDownloader (reachability probes, jar-existence HEAD, and body/metadata GETs) and MavenArtifactDownloader now request without credentials first and retry with credentials on a credential-rejecting 4xx. This also stops sending credentials to repositories that serve anonymously.
  2. Per-host auth cache. A session-scoped host:port set on the ExecutionContext records which endpoints required authentication, mirroring Maven Resolver's BasicAuthCache (and the existing getUnreachableEndpoints pattern). Once a host is known to require auth, both downloaders authenticate preemptively. MavenArtifactDownloader gains additive ExecutionContext constructors, and JavaRewriteRpc passes its context through so the jar phase shares the cache warmed during POM resolution.

The first request to a private host costs one extra anonymous 401 probe before authenticating; the cache limits this to once per host per session, the same one-time cost Maven pays.

Test plan

  • MavenPomDownloaderTest#doesNotSendCredentialsWhenRepositoryServesAnonymously
  • MavenPomDownloaderTest#authenticatesPreemptivelyAfterCredentialsRequired
  • MavenArtifactDownloaderTest#retriesWithCredentialsWhenAnonymousReturns401, #retriesWithHttpHeaderAuthWhenAnonymousReturns401
  • MavenArtifactDownloaderTest#doesNotFallBackToAnonymousOnTransientClientError
  • MavenArtifactDownloaderTest#authenticatesPreemptivelyAfterFirstChallengeForSameHost
  • Full rewrite-maven module test suite

Mirror Apache Maven Resolver's DeferredCredentialsProvider: issue POM,
metadata, reachability, jar-existence, and artifact requests without
credentials, and send Basic auth only once the server challenges an
anonymous request with a 4xx. Both downloaders previously applied
credentials preemptively, leaking them to repositories that serve
anonymously.

Split out applyTimeoutToRequest so anonymous requests keep their
timeouts without sending configured headers or credentials.
…robes

Add a session-scoped MavenAuthenticationCache on the ExecutionContext that
records repository endpoints (host:port) which challenged an anonymous
request. Once a host is known to require credentials, both
MavenPomDownloader and MavenArtifactDownloader authenticate preemptively
rather than paying another anonymous 401 round-trip, mirroring Apache Maven
Resolver's per-session BasicAuthCache.

MavenArtifactDownloader now accepts an ExecutionContext (additive
constructors; existing ones default to a per-instance context) so the JAR
phase shares the cache populated during POM resolution. JavaRewriteRpc
passes its context through.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In Progress

Development

Successfully merging this pull request may close these issues.

1 participant