For those versions of Artifactory that require redirects and make use of our Direct Cloud Storage option (i.e., Enterprise+, On-Premise, and JFrog's SaaS-based system), you may encounter a 400 bad request error. This happens to downloads when the request is made from some old HTTP clients, which do not support redirects. For example, here’s the response from an old cURL https client:
< HTTP/1.1 400 Bad Request < x-amz-request-id: < x-amz-id-2://= < Content-Type: application/xml < Transfer-Encoding: chunked < Date: Wed, 24 Jul 2019 13:30:56 GMT < Connection: close < Server: AmazonS3 < <?xml version="1.0" encoding="UTF-8"?> * Closing connection 1 * TLSv1.2 (OUT), TLS alert, Client hello (1): <Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName> Authorization</ArgumentName><ArgumentValue>Bearer *****************************
As per our tests, old versions of cURL and old versions of wget produced this behavior (although newer versions of these clients served the request successfully). Moreover, when using a Gradle client to resolve from a Maven repository, the request will always fail regardless of the version.
Typically, only one authentication method is applied (bearer or basic). This error occurs because both are in play. As a result, Artifactory-bound authentication is incorrectly forwarded to Amazon's S3 service.
To resolve this error, when using cURL you’ll need to upgrade the client to version 7.58.0 or above. With wget, you’ll need to upgrade the client to version 1.20.3 or above. If you’re using Gradle as your build tool, have a look HERE at the published vulnerability, which describes this error issue in detail and its fix in version 5.6.
NOTE: When using wget client with version 1.21.3 (or the latest version), only the username and password work with the wget command. We will see 400 error when using --header="Authorization: Bearer <token>” even with the latest version of wget command.
Keywords: 400 bad request, Direct Cloud Storage