Authentication failure after upgrade to 11.0.0 with Maven

[mdvalk-quintor]

Describe the bug
Since version 11.0.0 Apache Httpclient is used for web requests instead of plain java.
Configuration properties suppressionFileUser and suppressionFilePassword are no longer respected. (and the alternative configuration using suppressionFileServerId is neither respected).
By intercepting the http request the owasp dependency-check maven plugin tries to make, we can verify that it skips authentication, even when authentication is provided by the user!

Version of dependency-check used
The problem occurs using version 11.0.0 of the maven plugin

Log file

org.owasp.dependencycheck.exception.ExceptionCollection: One or more exceptions occurred during analysis:
        InitializationException: Warn initializing the suppression analyzer: Failed to load http://localhost:8087/suppressions.xml, caused by Unable to fetch the configured suppression file. 
                caused by SuppressionParseException: Failed to load http://localhost:8087/suppressions.xml, caused by Unable to fetch the configured suppression file.

To Reproduce
Steps to reproduce the behavior:

1. Configure maven dependency-check plugin with the following:

<configuration>
    <suppressionFiles>
        <suppressionFile>http://localhost:8087/suppressions.xml</suppressionFile>
    </suppressionFiles>
    <suppressionFileUser>my-username</suppressionFileUser>
    <suppressionFilePassword>my-secret-password</suppressionFilePassword>
</configuration>

2. On linux run netcat listening on port 8087 to intercept traffic and see what authentication maven dependency-check plugin comes up with: nc -l 8087
3. Run mvn dependency-check:check
4. Check your netcat interceptor and you will see something along the lines of:

GET /suppressions.xml HTTP/1.1
Accept-Encoding: gzip, x-gzip, deflate
Host: localhost:8087
Connection: keep-alive
User-Agent: Apache-HttpClient/5.4 (Java/21.0.2)
Upgrade: TLS/1.2
Connection: Upgrade

5. We can see that the Authorization request header is missing!!

Expected behavior
For step 4 in the reproduction steps above, we expect to see the Authorization header present on the request... e.g.:

GET /suppressions.xml HTTP/1.1
Authorization: Basic ........
Accept-Encoding: gzip, x-gzip, deflate
Host: localhost:8087
Connection: keep-alive
User-Agent: Apache-HttpClient/5.4 (Java/21.0.2)
Upgrade: TLS/1.2
Connection: Upgrade

Other comments

• If you run the reproduction steps again, but this time switch the plugin version from 11.0.0 to version 10.0.4 and you will see the Authorization header is present in the requests!

[aikebah]

4. is expected on first request, as it does not do pre-emptive authentication. It should properly authenticate when challenged for it by the server (HTTP 401 authentication required response)

HttpClient is handed over the credentials for the hostedSuppressionUrl.

Can you check whether your server responds with the authentication challenge?

[mdvalk-quintor]

4. is expected on first request, as it does not do pre-emptive authentication. It should properly authenticate when challenged for it by the server (HTTP 401 authentication required response)

HttpClient is handed over the credentials for the hostedSuppressionUrl.

Can you check whether your server responds with the authentication challenge?

Thank you for the clarification.
The server does respond with an authentication challenge, but this challenge contains a <!DOCTYPE> declaration which is rejected / disallowed by the SAXParser:

org.xml.sax.SAXException: Line=3, Column=10: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.
    at org.owasp.dependencycheck.xml.suppression.SuppressionErrorHandler.fatalError (SuppressionErrorHandler.java:71)
    at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError (ErrorHandlerWrapper.java:181)
    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError (XMLErrorReporter.java:400)
    at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError (XMLErrorReporter.java:327)
    at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError (XMLScanner.java:1465)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next (XMLDocumentScannerImpl.java:898)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next (XMLDocumentScannerImpl.java:605)
    at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next (XMLNSDocumentScannerImpl.java:114)
    at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument (XMLDocumentFragmentScannerImpl.java:542)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse (XML11Configuration.java:889)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse (XML11Configuration.java:825)

See the following curl request as example of the scenario rejected by SAXParser:
curl -Lv https://dev.azure.com/xxx/xxx/_apis/git/repositories/xxxx/items?path=/suppressions.xml

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html lang="en-US">
<head><title>
	
            Azure DevOps Services | Sign In

[aikebah]

Check the accompanying HTTP code, because given your stacktrace it looks more like that page gets served with an HTTP responsecode of the 2xx or 3xx range

[mdvalk-quintor]

Check the accompanying HTTP code, because given your stacktrace it looks more like that page gets served with an HTTP responsecode of the 2xx or 3xx range

Correct these are the response details:

< HTTP/2 302 
< www-authenticate: Basic realm="https://tfs.app.visualstudio.com/"
< www-authenticate: Bearer

When sending a request to Microsoft Azure DevOps without providing authentication credentials, it redirects to the login page using status code 302 while at the same time requesting authentication.

If you however do provide invalid credentials, the response is 401 in combination with an authentication challenge:

< HTTP/2 401 
< www-authenticate: Basic realm="https://tfs.app.visualstudio.com/"

Does this simply mean that this plugin no longer supports authentication to Microsoft Azure DevOps services?

[martijndebruijn]

I'm facing the same problems. Reverted the plugin to 10.0.4 and the DOCTYPE errors are gone.

Trying to download the suppression file from a Azure Devops url.

Any workaround available?

[mdvalk-quintor]

bump!

anybody willing to answer my question above? or @martijndebruijn 's question?

[jeremylong]

@aikebah any clue on this one?

[aikebah]

Need to finish up my local pending changes to make apache httpclient use pre-emptive auth, but basically the root cause appears to be the server misbehaving in the context of HTTP protocol (not giving an http 401, but redirecting with 302 to webbased authentication page so that httpclient's credentials lookup never kicks in)

Hope to finish that up later this week and put up a branch that hopefully someone can build a private snapshot from to validate my assumption that pre-emptive auth will solve the issue.

[jeremylong]

Thanks - I wanted to make sure someone had this, even if it is going to take a bit of time to solve.

[aikebah]

@mdvalk-quintor Would you be able to test a privately built snapshot from the fix/httpclient5 branch in your Azure Devops environment in order to verify that indeed adding pre-emptive auth solves the issues your CI runs into?

[ftiercelin]

@aikebah
I gave it a try:

1. pull fix/httpclient5
2. mvn install
3. create a server that sends a auth challenge with a HTTP-302 (instead of proper 401)
4. create a demo project with:

    <suppressionFiles>
        <suppressionFile>http://xxxxxxxxx:8080/basic302/suppressions.xml</suppressionFile>
    </suppressionFiles>
    <suppressionFileUser>my-username</suppressionFileUser>
    <suppressionFilePassword>my-secret-password</suppressionFilePassword>

5.mvn dependency-check:check

dependency-chek failed: InitializationException: Warn initializing the suppression analyzer: Failed to load http://xxxxxxxxx:8080/basic302/suppressions.xml, caused by Unable to fetch the configured suppression file.

Suppression server logs:

< No Authorization header provided for Basic 302
  > HTTP-302 FOUND
  > Content-Type: [application/xml]
  > WWW-Authenticate: [Basic realm="hosted suppressions"]
< No Authorization header provided for Basic 302
  > HTTP-302 FOUND
  > Content-Type: [application/xml]
  > WWW-Authenticate: [Basic realm="hosted suppressions"]

➫ it seems the client reacts to the challenge but still without the credentials

same project, with a server that returns 401 for the challenge, works:

< No Authorization header provided for Basic
  > HTTP-401 UNAUTHORIZED
  > Content-Type: [application/xml]
  > WWW-Authenticate: [Basic realm="hosted suppressions"]
< Authorization: Basic bXktdXNlcm5hbWU6bXktc2VjcmV0LXBhc3N3b3Jk
  > HTTP-200 OK
  > Content-Type: [application/xml]

if you want I can propose a PR to fix this, let me know

[aikebah]

@ftiercelin HostedSuppression credentials are currently only supported via the properties file, so it's logical that your attempt failed. The suppressionFileUser/Password are used for configuring the user suppression files (during suppression analyzer run) download's authentication.

[mathze]

@aikebah sorry but I'm confused by your comment #7108 (comment).
What do you mean by "hostedSuppression credentials are currently only supported via properties file"? From my understanding, downloading a file from a web-source, like azure or a git repo, through the suppressionFile property is a hosted suppression, isn't it? At least it worked with 10.0.4 in the gradle-plugin by providing suppressionFileUser/Password.
Does it mean this is no longer supported?

[aikebah]

Sorry for the confusion... browsing back in the comments... suppressionUser/Password should be usable for the mentioned usages to authenticate for the suppressionFiles.

I got distracted by the parallel conversations regarding a custom hostedSuppressions location (for the CLI using the advanced parameter --hostedSuppressionsUrl) - which some people need as internet connectivity to the public github hostedSuppressions file is blocked in their environment.

Authentication information for that hostedSuppressionsUrl can currently only be configured in the properties (as there are no configuration parameters in the various tools yet, but the core code is in to also allow user/password authentication for such a cached resource)

[aikebah]

Not sure how I managed to close this ticket unintentionally

[aikebah]

@aikebah I gave it a try:

1. pull `fix/httpclient5`

2. `mvn install`

3. create a server that sends a auth challenge with a HTTP-302 (instead of proper 401)

4. create a demo project with:

    <suppressionFiles>
        <suppressionFile>http://xxxxxxxxx:8080/basic302/suppressions.xml</suppressionFile>
    </suppressionFiles>
    <suppressionFileUser>my-username</suppressionFileUser>
    <suppressionFilePassword>my-secret-password</suppressionFilePassword>

5.mvn dependency-check:check

dependency-chek failed: InitializationException: Warn initializing the suppression analyzer: Failed to load http://xxxxxxxxx:8080/basic302/suppressions.xml, caused by Unable to fetch the configured suppression file.

@ftiercelin Can you double-check that you actually used the dependency-check that you just mvn installed?

I don't have a server stub to replay the whole, but have a squid-proxy in the middle, and with nothing is listening on port 80 of the configured host I get a proper pre-authenticated request in the proxy logs

<suppressionFiles>
    <suppressionFile>http://rajah.fritz.box/filter-me.xml</suppressionFile>
</suppressionFiles>
<suppressionFileUser>foo</suppressionFileUser>
<suppressionFilePassword>bar</suppressionFilePassword>

yields

2024/12/25 12:59:49.758| 11,2| client_side.cc(1358) parseHttpRequest: HTTP Client REQUEST:
---------
GET http://rajah.fritz.box/filter-me.xml HTTP/1.1
Accept-Encoding: gzip, x-gzip, deflate
Authorization: Basic Zm9vOmJhcg==
Host: rajah.fritz.box
User-Agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
Upgrade: TLS/1.2
Connection: Upgrade

In my squid proxy logs (and following that results in a failure as there is still a bug lurking in the code with respect to proxy-authentication in case of suppression-file downloads with suppressionFile credentials specified, so it breaks on a proxy 407;

After fixing that up locally (still need to tidy it up a bit before pushing) it fails with a 503 due to proxy also being unable to connect to my server (as nothing is running on port 80)

GET http://rajah.fritz.box/filter-me.xml HTTP/1.1
Accept-Encoding: gzip, x-gzip, deflate
Authorization: Basic Zm9vOmJhcg==
Host: rajah.fritz.box
User-Agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
Upgrade: TLS/1.2
Connection: Upgrade


----------
2024/12/25 14:07:48.880| 11,2| Stream.cc(279) sendStartOfMessage: HTTP Client conn1188 local=172.17.0.2:3128 remote=172.17.0.1:56794 FD 28 flags=1
2024/12/25 14:07:48.880| 11,2| Stream.cc(280) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 407 Proxy Authentication Required
Server: squid/5.9
Mime-Version: 1.0
Date: Wed, 25 Dec 2024 14:07:48 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3714
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Basic realm="proxy"
X-Cache: MISS from 1a2d3642c820
X-Cache-Lookup: NONE from 1a2d3642c820:3128
Via: 1.1 1a2d3642c820 (squid/5.9)
Connection: keep-alive


----------
2024/12/25 14:07:48.883| 11,2| client_side.cc(1357) parseHttpRequest: HTTP Client conn1188 local=172.17.0.2:3128 remote=172.17.0.1:56794 FD 28 flags=1
2024/12/25 14:07:48.883| 11,2| client_side.cc(1358) parseHttpRequest: HTTP Client REQUEST:
---------
GET http://rajah.fritz.box/filter-me.xml HTTP/1.1
Authorization: Basic Zm9vOmJhcg==
Proxy-Authorization: Basic cHJveHk6aW5zZWN1cmU=
Host: rajah.fritz.box
User-Agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
Upgrade: TLS/1.2
Connection: Upgrade


----------
2024/12/25 14:07:48.884| 11,2| Stream.cc(279) sendStartOfMessage: HTTP Client conn1188 local=172.17.0.2:3128 remote=172.17.0.1:56794 FD 28 flags=1
2024/12/25 14:07:48.884| 11,2| Stream.cc(280) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 503 Service Unavailable
Server: squid/5.9
Mime-Version: 1.0
Date: Wed, 25 Dec 2024 14:07:48 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3753
X-Squid-Error: ERR_CONNECT_FAIL 111
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from 1a2d3642c820
X-Cache-Lookup: MISS from 1a2d3642c820:3128
Via: 1.1 1a2d3642c820 (squid/5.9)
Connection: keep-alive

[ftiercelin]

@aikebah ,
here is what I did.

1. pulled fix/httpclient5
2. modified all pom.xml so their version is 11.1.2-FIXHC5
3. mvn install
4. use the same version in my demo project for the dependency-check plugin: <version>11.1.2-FIXHC5</version>

I have a server with several endpoints, among them:

• /basic/suppressions.xml: expects a basic auth, replies with the normal HTTP-401 and WWW-Authenticate when no auth has been provided
• /basic302/suppressions.xml: expects a basic auth, replies with HTTP-302 and WWW-Authenticate when no auth has been provided

(none of the endpoints actually check the user/password, so the value of the b64 encoded string after Basic doesn't matter)

with the /basic/ endpoint, plugin exec succeeds, server logs are:

< No Authorization header provided for Basic
   > HTTP-401 UNAUTHORIZED
   > Content-Type: [application/xml]
   > WWW-Authenticate: [Basic realm="hosted suppressions"]
< Authorization: Basic bXktdXNlcm5hbWU6bXktc2VjcmV0LXBhc3N3b3Jk
   > HTTP-200 OK
   > Content-Type: [application/xml]

with the /basic302/ endpoint, plugin execution fails and server logs are:

< No Authorization header provided for Basic 302
   > HTTP-302 FOUND
   > Content-Type: [application/xml]
   > WWW-Authenticate: [Basic realm="hosted suppressions"]
< No Authorization header provided for Basic 302
   > HTTP-302 FOUND
   > Content-Type: [application/xml]
   > WWW-Authenticate: [Basic realm="hosted suppressions"]

[aikebah]

Decided to try and replicate with a very basic java HttpServer implementation (https://gist.github.com/aikebah/27844a6c792bf6744b2ad09368244245) and fail to reproduce what you observe.

My server logs indicate that it directly receives the basic auth:

>> GET /basic/filter-me.xml
Basic Auth Header seen; all headers were:
Accept-encoding: gzip, x-gzip, deflate
Connection: keep-alive
Connection: Upgrade
Host: localhost:8123
Upgrade: TLS/1.2
User-agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
Authorization: Basic Zm9vOmJhcg==
>> GET /basic302/filter-me.xml
Basic Auth Header seen; all headers were:
Accept-encoding: gzip, x-gzip, deflate
Connection: keep-alive
Connection: Upgrade
Host: localhost:8123
Upgrade: TLS/1.2
User-agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
Authorization: Basic Zm9vOmJhcg==

Are you sure that your stub-server processes all the headers?

[ftiercelin]

Hi @aikebah, it seems your execution is doing a preemptive auth, otherwise we would see first an unauthenticated error then the client retrying.
in your logs we can't see the "WWW Authenticate" being pushed back to client to elicit an authenticated call

Here are the full logs for a server that returns a HTTP-302:

2024-12-27 14:40:41 INFO  w.c.SuppressionsController - Headers for Basic302
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- accept-encoding: gzip, x-gzip, deflate
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/17.0.13)
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    --> HTTP-302 FOUND
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    --> WWW-Authenticate: Basic realm="hosted suppressions"
2024-12-27 14:40:41 INFO  w.c.SuppressionsController - Headers for Basic302
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- accept-encoding: gzip, x-gzip, deflate
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/17.0.13)
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    --> HTTP-302 FOUND
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml
2024-12-27 14:40:41 INFO  w.c.SuppressionsController -    --> WWW-Authenticate: Basic realm="hosted suppressions"

and the logs for one that returns HTTP-401 with WWW-Authenticate:

2024-12-27 14:41:22 INFO  w.c.SuppressionsController - Headers for Basic
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- accept-encoding: gzip, x-gzip, deflate
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/17.0.13)
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    --> HTTP-401 UNAUTHORIZED
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    --> WWW-Authenticate: Basic realm="hosted suppressions"
2024-12-27 14:41:22 INFO  w.c.SuppressionsController - Headers for Basic
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- authorization: Basic bXktdXNlcm5hbWU6bXktc2VjcmV0LXBhc3N3b3Jk
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/17.0.13)
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    --> HTTP-200 OK
2024-12-27 14:41:22 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml

Would you be running your test with something like System.setProperty("httpclient.authentication.preemptive", "true"); (I don't think this works with HC5, but maybe there's something similar)
or would you be using a different branch than the one I have been testing?
The one I have been testing is: https://github.com/jeremylong/DependencyCheck/tree/fix/httpclient5 and hasn't been updated in last 2 weeks

[ftiercelin]

@aikebah, in case you'd like to test with the server I have been testing with: https://github.com/ftiercelin/SuppressionServer

[aikebah]

@ftiercelin the httpclient5 branch has code that by and of itself should pre-empt due to adding pre-initialized basic authentication to the authcache.

https://github.com/jeremylong/DependencyCheck/blame/f303c34e6d6fb3c896a1426f524815b75c16540b/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java#L317-L319

Was the crux of the change on the httpclient5 branch with respect to pre-emptive authentication.

No clue why it works on my system but appears to do nothing on yours.

[aikebah]

Tried with your server stub... and that appears to also work fine for me

  <suppressionFiles>
      <suppressionFile>http://localhost:8080/basic/suppressions.xml?full</suppressionFile>
      <suppressionFile>http://localhost:8080/basic/suppressions.xml</suppressionFile>
      <suppressionFile>http://localhost:8080/basic302/suppressions.xml?full</suppressionFile>
      <suppressionFile>http://localhost:8080/basic302/suppressions.xml</suppressionFile>
  </suppressionFiles>
  <suppressionFileUser>foo</suppressionFileUser>
  <suppressionFilePassword>bar</suppressionFilePassword>

yields in the server

======================================================================

2024-12-27 18:05:04 INFO  w.WebServerApp - started
2024-12-27 18:05:17 INFO  w.c.SuppressionsController - Headers for Basic
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- accept-encoding: gzip, x-gzip, deflate
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- authorization: Basic Zm9vOmJhcg==
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> HTTP-200 OK
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml

2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- Authorization: Basic Zm9vOmJhcg==
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> HTTP-200 OK
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml

2024-12-27 18:05:17 INFO  w.c.SuppressionsController - Headers for Basic302
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- accept-encoding: gzip, x-gzip, deflate
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- authorization: Basic Zm9vOmJhcg==
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/21.0.5)
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> HTTP-200 OK

2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    <-- Authorization: Basic Zm9vOmJhcg==
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> HTTP-200 OK
2024-12-27 18:05:17 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml

Running on:

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Java version: 21.0.5, vendor: Eclipse Adoptium
OS name: "mac os x", version: "14.6.1", arch: "aarch64", family: "mac"

Could it be that in some way you've disabled Apache HTTPClient AuthCache usage?

[ftiercelin]

Here, running on:

Apache Maven 3.6.3
Maven home: /usr/share/maven
Java version: 17.0.13, vendor: Ubuntu, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "5.15.153.1-microsoft-standard-wsl2", arch: "amd64", family: "unix"

Could it be that in some way you've disabled Apache HTTPClient AuthCache usage?
I wouldn't know how to do this 😄

Trying on another system to see if the same happens, but still fighting to build (can't recall all what I did on my main system to make the build to work)

[aikebah]

Could it be that in some way you've disabled Apache HTTPClient AuthCache usage? I wouldn't know how to do this 😄

Neither would I, still curious to learn how we can see different behaviour among our systems.

[aikebah]

Trying on another system to see if the same happens, but still fighting to build (can't recall all what I did on my main system to make the build to work)

A basic install skipping all tests (mvn install -DskipTests) should be easily achievable on any maven+java system IIRC... building with tests requires installs of several additional development tools - https://github.com/jeremylong/DependencyCheck?tab=readme-ov-file#development-prerequisites due to their use (invocation by analyzers) in test-cases

[ftiercelin]

thanks @aikebah for the tip on skipping the tests.

on my standard ubuntu machine, I can see the preemptive auth happening:

2024-12-30 10:44:10 INFO  w.c.SuppressionsController - Headers for Basic
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    <-- accept-encoding: gzip, x-gzip, deflate
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    <-- authorization: Basic bXktdXNlcm5hbWU6bXktc2VjcmV0LXBhc3N3b3Jk
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    <-- host: localhost:8080
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    <-- connection: keep-alive
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    <-- user-agent: Apache-HttpClient/5.4.1 (Java/17.0.13)
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    <-- upgrade: TLS/1.2
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    --> HTTP-200 OK
2024-12-30 10:44:10 INFO  w.c.SuppressionsController -    --> Content-Type: application/xml

Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae)
Maven home: /opt/apache-maven-3.9.6
Java version: 17.0.13, vendor: Ubuntu, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en_IE, platform encoding: UTF-8
OS name: "linux", version: "6.8.0-50-generic", arch: "amd64", family: "unix"

I also tried upgrading the maven version (in case) on my WSL Ubuntu:

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: /opt/apache-maven-3.9.9
Java version: 17.0.13, vendor: Ubuntu, runtime: /usr/lib/jvm/java-17-openjdk-amd64
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "5.15.153.1-microsoft-standard-wsl2", arch: "amd64", family: "unix"

➫ still not providing the preemptive auth

[ftiercelin]

@aikebah I noticed you pushed some new code to fix/httpclient5 recently, among other things this new method:

    /**
     * Gets a HttpClientContext that supports pre-emptive authentication.
     * @return A HttpClientContext pre-configured with the authentication cache build from the settings.
     */
    public HttpClientContext getPreEmptiveAuthContext() {
        final HttpClientContext context = HttpClientContext.create();
        context.setCredentialsProvider(credentialsProvider);
        context.setAuthCache(authCache);
        return context;
    }

and

        final BasicScheme basicAuth = new BasicScheme();
        basicAuth.initPreemptive(creds);
        authCache.put(scopeHost, basicAuth);

this did the trick: with the latest code, I no longer have issues with missing preemptive authentication on any of my systems.

[aikebah]

@ftiercelin Those were in from the start; I've recently added a commit to fix-up the broken proxy authentication for the suppression files (as that setup was using a dedicated just-in-time authentication configuration but forgot to include the proxy auth when configured (either through http(s).* system properties or by way of settings properties for the same)).

The snippets you quote are indeed the main parts to make the httpclient5 pre-emptively authenticate. Good to see it now also succeeds fine for you.