-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maven 3.9, unauthorized 401 when reaching MS AZURE repo with PAT #371
Comments
was this working before in maven:3.9 image ? |
"was this working before in maven:3.9 image ?" Tried 3.9.1, 3.9.2, 3.9 none of these works. The only difference in my Dockerfile is: Looks like to me 3.9.x was changed something comparing to 3.8.x |
you are saying Yes and no at the same time? it never worked in any 3.9., it only worked in 3.8. ?
You are comparing different docker images with different operating system and JVM, can you check the same JVM and different versions of maven? ie.
or any other jdk and version, but the same one, just changing the maven version You can check in the maven project, it doesn't look like a problem in the docker image though as it seems to be more in Maven itself |
"you are saying Yes and no at the same time?" "You are comparing different docker images with different operating system and JVM, can you check the same JVM and different versions of maven?" "it seems to be more in Maven itself" |
you can ask in maven-users mailing list https://maven.apache.org/mailing-lists.html |
The 401 Unauthorized messages can be misleading. I noticed them too when using a recent Maven version. It happens when Maven asks our GitLab for artifacts which are not present in that repository (for example, JUnit). But it seems only the warnings are new, not the denied requests. By default, when Maven tries to download an artifact, it asks each configured repository until the artifact is found. This leads to unnecessary requests and, under some circumstances with recent Maven, to those warnings. A way to avoid these unnecessary requests is to use remote repository filtering, introduced in Maven 3.9.0. See also MNG-6763: Restrict repositories to specific groupIds. Does your build actually fail and are you sure the 401 Unauthorized is the cause (sometimes my build failed and at first it seemed to be because of failed downloads, while the actual cause was something else)? Are the artifacts mentioned in the warnings present in the repository mentioned in the same line of output? |
Hello,
We are using maven docker image to build our app and deploy it as a docker image. Since 16.05.2023 we struggle with the following issue:
dockerfile:
FROM maven as app_builder --> so latest 3.9.x
{copy source files}
{copy settings.xml}
RUN mvn -s settings.xml clean package
We use MS AZURE for our jar repository. settings.xml contains its Personal Access Token auth credentials which is repo_id/token_name/token_value.
The outcome of this build is 401 Unauthorized once trying to download libs from the repo.
This is not the case when I am using:
FROM maven:3.8 as app_builder
or earlier.
This is not the case also when I am using my personal active directory credentials instead of PAT.
Building command:
podman build -t app:v1 -f ./Dockerfile
CentoOS 8 (curl is still <8)
podman v: 4.3.1
java 17.0.2
What might be the case here?
Is it related to the previous vulnerability: https://dso.docker.com/cve/CVE-2023-27536 I assume it is resolved in maven 3.9
The text was updated successfully, but these errors were encountered: