ARTIFACTORY: How to Resolve Direct Cloud Download Failures in Maven Packages with an Unwanted Port Appended to the Redirect URL

ARTIFACTORY: How to Resolve Direct Cloud Download Failures in Maven Packages with an Unwanted Port Appended to the Redirect URL
Products
Frog_Artifactory
Content Type
Installation_Setup
AuthorFullName__c
Ino Choi
articleNumber
000006637
FirstPublishedDate
2025-09-21T15:03:31Z
lastModifiedDate
2025-09-21
VersionNumber
1
Introduction 

This article addresses a specific issue where Maven package downloads fail when Artifactory is configured with an Amazon S3 binary provider using the Direct Cloud Storage Download feature. The failure occurs when the <port> parameter is explicitly defined in the binarystore.xml configuration, which causes an unwanted port number to be appended to the pre-signed redirect URL. This leads to a signature mismatch error from AWS S3. While this configuration might not impact all package types (e.g., PyPI), it consistently causes issues for Maven clients.

The solution involves removing the explicit <port> declaration from the binarystore.xml file to allow Artifactory and S3 to use default port handling for pre-signed URLs.


Problem

When the S3 binary provider in binarystore.xml is configured with an explicit port, such as <port>443</port>, Artifactory generates a pre-signed download URL that includes the port number in the host.

For example: https://my-bucket.s3.amazonaws.com:443/...

The Maven client receives this URL and, when making the request, includes the port in the Host HTTP header (e.g., Host: my-bucket.s3.amazonaws.com:443). Maven then calculates its request signature based on this header.

However, the AWS S3 endpoint expects the Host header to be my-bucket.s3.amazonaws.com (without the standard 443 port for HTTPS) for its own signature calculation. This discrepancy causes the signatures to mismatch, and S3 rejects the request with the following error:
The request signature we calculated does not match the signature you provided.


Resolution 

The solution is to remove the <port> element from the S3 binary provider configuration within your binarystore.xml file. As noted in the official documentation, when a port is not specified, Artifactory defaults to port 443 for HTTPS connections (when useHttp is false) or 80 for HTTP connections (when useHttp is true). By removing the explicit tag, the pre-signed URL is generated without the port, resolving the Host header and signature mismatch.

Step-by-Step Instructions
  1. Locate and back up your binarystore.xml file. This file is typically found in $JFROG_HOME/artifactory/var/etc/artifactory/.
  2. Open binarystore.xml for editing.
  3. Find your S3 binary provider configuration block. It will look similar to the example below.
  4. Remove the <port>...</port> line entirely.

    Incorrect Configuration (Before):
    <provider id="s3-storage-v3" type="s3-storage-v3">
  <endpoint>s3.amazonaws.com</endpoint>
  <bucketName>my-artifactory-bucket</bucketName>
  <httpsOnly>true</httpsOnly>
  <useHttp>false</useHttp>
  <port>443</port>
  <identity>...</identity>
  <credential>...</credential>
</provider>

     

    Correct Configuration (After):
    <provider id="s3-storage-v3" type="s3-storage-v3">
  <endpoint>s3.amazonaws.com</endpoint>
  <bucketName>my-artifactory-bucket</bucketName>
  <httpsOnly>true</httpsOnly>
  <useHttp>false</useHttp>
  <identity>...</identity>
  <credential>...</credential>
</provider>


  5. Save the binarystore.xml file.
A full restart of the Artifactory service is required for this change to take effect. After restarting, test the Maven package download again to confirm the issue is resolved.