Issue Description When attempting to retrieve artifacts from an Artifactory instance with Xray configured, and the "Block Download"/"Block unused artifacts" option is enabled in a Policy, the expected behavior is to block downloads as shown below:
curl -u username http://ARTIFACTORY_URL/artifactory/<repository name>/<path to file>
{
"errors" : [ {
"status" : 403,
"message" : "The request to download the artifact was rejected: <path to file> was not downloaded due to the download blocking policy configured at <ARTIFACTORY_URL>."
} ]
}
However, when attempting to resolve the same artifacts using a Smart Remote Repository that points to the same repository in the Artifactory instance mentioned above, a "404" error message is displayed instead of the original 403 message that should be displayed:
curl -u username http://ARTIFACTORY_URL/artifactory/<smart remote repository name>/<path to file>
{
"errors" : [ {
"status" : 404,
"message" : "Forbidden"
} ]
}
Mitigation Steps Starting from Artifactory version 7.68.0, you can enable the following property in the $JFROG_HOME/artifactory/var/etc/artifactory/artifactory.system.properties file on the instance used to send the download request to the Smart Remote Repository. This will ensure that the Smart Remote Repository returns the appropriate status and error message:
artifactory.xray.remote.validation=true
After enabling this property and restarting the Artifactory instance, the "404" message should be replaced with the following output:
{
"errors" : [ {
"status" : 403,
"message" : "Blocked by Xray"
} ]
}
*For more information, refer to RTFACT-29813 .