bnd icon indicating copy to clipboard operation
bnd copied to clipboard
verified publisher icon bndtools

Connections Settings are not considering path of url (e.g. for new https://central.sonatype.com)

Open maho7791 opened this issue 6 months ago • 5 comments

At first the new URLs for snapshots moved to:

https://central.sonatype.com/repository/maven-snapshots

If you have connection settings defined the upload works as usual.

But when you want to retrieve snapshots from "https://central.sonatype.com/repository/maven-snapshots", bnd uses the connection settings to get the artifacts.

The problem is now with the new repository, that if you request data without credentials, you can access al artifacts. But if you are logged in, you are only able to access artifacts, you have uploaded.

I dont have a solution yet, but I think about something like a property auth=false at a repository definition:

-plugin.2.Central: \
    aQute.bnd.repository.maven.provider.MavenBndRepository; \
	releaseUrl			= "https://repo.maven.apache.org/maven2/"; \
	snapshotUrl			= "https://central.sonatype.com/repository/maven-snapshots/";\
        index=${.}/central.mvn; \
        readOnly=true; \
        **auth=false;\**
        name="Central"

This should lead, not to take the connection settings when reading the snapshots. I am not sure if it is a good ideo to bind it to the readOnly property, because it might be a use case that you need credentials for a nexus even for read only acces.

maho7791 avatar Aug 08 '25 08:08 maho7791

@peterkir

chrisrueger avatar Aug 08 '25 09:08 chrisrueger

@maho7791 do you think it is worth bringing that up as a question in https://community.sonatype.com/c/central-repository/60 ?

chrisrueger avatar Aug 08 '25 10:08 chrisrueger

Maybe.

The cause of this issue is more that bnd identifies the credential usage on the hostname / url.

The old repos for maven central deploy (snapshots and releases) have been https://oss.sonatype.org/something which is fine for credential setting on "oss.sonatype.org". When retrieving artifact from https://repo1.maven.org/maven2/ everything is fine.

But now the deploy urls are https://central.sonatype.com/ and for snapshots https://central.sonatype.com/repository/maven-snapshots/. When you retrieve artifacts, you can also use https://central.sonatype.com, which then leads to the situation, where your are logged in and are only able to see you own stuff.

Even if I have several repositories defined. As long as they use the central.sonatype.com, the login settings always hook in, even if I dont want this. Thats why I thinks its more a point on our side.

maho7791 avatar Aug 08 '25 11:08 maho7791

Ok understood. I think this credential usage on the hostname / url issue came up recently in a bnd call with @peterkir and @pkriens too.

My proposal to bring it up at https://community.sonatype.com/c/central-repository/60 additionally is, that this stateful behavior of the URLs is maybe nowhere documented. Maybe they are not aware of it?

But anyway you are right, that the current tying of connection settings only on hostname and port does not work well in this new structure.

Linking https://github.com/bndtools/bnd/pull/6738 since it might be related

chrisrueger avatar Aug 08 '25 12:08 chrisrueger

I'm working on a fix for this. But keep in mind that for successful release deployments we also need to merge #6738 Before that you won't be able to do releases. And also keep in mind that authentication is switched to bearer token instead of user/pw.

peterkir avatar Aug 11 '25 14:08 peterkir