Maven 3.9.x intermittently sends unauthenticated CONNECT to proxy when using multiple artifact threads #1768
Description
Affected version
3.9.0+
Bug description
Summary
When using Maven 3.9.x behind an HTTP proxy requiring Basic authentication (Squid), Maven intermittently sends CONNECT requests without Proxy-Authorization when running with default artifact resolution threads.
This results in intermittent 407 Proxy Authentication Required errors.
Limiting resolution to a single thread (-Dmaven.artifact.threads=1) makes the problem disappear.
Title: Maven 3.9.x intermittently sends unauthenticated CONNECT to proxy when using multiple artifact threads (407 from Squid)
Summary:
When using Maven 3.9.x behind an HTTP proxy requiring Basic authentication (Squid), Maven intermittently sends CONNECT requests without Proxy-Authorization when running with default artifact resolution threads.
This results in intermittent 407 Proxy Authentication Required errors. Limiting resolution to a single thread (-Dmaven.artifact.threads=1) makes the problem disappear.
The same setup works reliably with older Maven versions (3.8. and lower / Wagon-based resolver).
Environment:
- Maven: 3.9.11
- Java: 17
- OS: Windows 11 (Docker Desktop, Linux containers)
- Proxy: Squid 6.x with Basic auth required
- Transport: Maven Resolver HttpTransporter (default in 3.9.x)
Expected behavior:
All HTTP CONNECT requests sent through the proxy should include valid Proxy-Authorization headers once credentials are configured in settings.xml.
No unauthenticated CONNECT attempts should occur after proxy auth is configured.
Actual behavior:
When resolving artifacts in parallel (default behavior), Maven sometimes:
Sends CONNECT without Proxy-Authorization
Receives 407 Proxy Authentication Required
Fails the build
Squid logs show requests like:
"CONNECT repo.maven.apache.org:443 HTTP/1.1" 407 ProxyAuth:- UA:Apache-Maven/3.9.11
Followed later by authenticated requests that succeed.
This does not occur when limiting resolver threads to 1.
Reproducer:
Full reproducer with Docker + Squid is available here:
https://github.com/Eyjafjallajokull-Roman/maven-proxy-auth-repro
It includes:
- Squid proxy requiring Basic auth
- Maven 3.9.11 container
- settings.xml with proxy auth
- Exact commands to reproduce
How to reproduce:
Ensure Maven local repository is clean so artifacts are downloaded through the proxy
(no cached artifacts in ~/.m2/repository).
Configure Maven to use an authenticated HTTP proxy (see provided settings.xml and Squid setup).
Run with default resolver threads:
mvn -U -X -s settings.xml clean verify
Observed:
Intermittent 407 Proxy Authentication Required errors.
Run with a single resolver thread:
mvn -U -X -Dmaven.artifact.threads=1 -s settings.xml clean verify
Observed:
Build succeeds and proxy authentication errors disappear.
Possible root cause:
It appears that concurrent artifact resolution in HttpTransporter causes some proxy connections to be established before authentication headers are attached, leading to unauthenticated CONNECT attempts.
Could you please advise:
Whether this is expected behavior with the new transport?
Whether proxy authentication is expected to be preemptive for CONNECT?
And whether this might be a known issue or regression in Maven 3.9.x / Resolver?
I am happy to test patches or provide further diagnostics.
(All logs included in repro repo.)