Why do I get a 400 Bad Request error when downloading from Artifactory?

Guy Cohen
2020-02-24 16:45

Subject

Why do I get a 400 Bad Request error when trying to download or resolve artifacts?

Description

JFrog Artifactory SaaS, Artifactory on-premise with Direct Cloud Storage option (requires E+ license), or any setup that requires redirects may result in 400 error for downloads if the request is made from a few old HTTP clients which does not support redirects. For example, here is the response from an old cURL https client:

< HTTP/1.1 400 Bad Request
< x-amz-request-id:
< x-amz-id-2://=
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Wed, 24 Jul 2019 13:30:56 GMT
< Connection: close
< Server: AmazonS3
<
<?xml version="1.0" encoding="UTF-8"?>
* Closing connection 1
* TLSv1.2 (OUT), TLS alert, Client hello (1):
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter,
Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>
Authorization</ArgumentName><ArgumentValue>Bearer *****************************

As per our tests, old versions of cURL and old versions of wget, had this behavior. However, newer versions of these clients, served the request successfully.
Moreover, when using Gradle client to resolve from Maven repository type (not Gradle repo), the request will always fail regardless the version.

Cause:

This is happening due to supplement of more than one authentication types – Bearer/Basic Artifactory bound authentication is incorrectly forwarded to Amazon's S3 service from Artifactory.

Resolution

In order to overcome this error when using cURL, you need to upgrade the client version to 7.58.0 or above.
With 'wget', you need to upgrade the client to version 1.20.3 or above to overcome this error.

If you are using Gradle as your build tool, kindly refer to the published vulnerability which describes the issue and its fix in Gradle version 5.6.