On 2023-03-20, Stefan Bodewig wrote: > Hi
> On 2023-03-20, Kamran Manzoor wrote: >> Thanks a lot for looking into this. I thought the issue was request related >> but it is in response handling. It means it does trigger the request which >> I have verified and it seems like the auth header is missing :(. I have >> tried with default URL handler and even with older ivy version 2.4.0 with >> older commons-httpclient. Nothing seems to send the auth header with >> credentials :(. You may simply run this example i.e., *ant -verbose >> retrieve* and see the request captured here: >> *https://beeceptor.com/console/ivytry >> <https://beeceptor.com/console/ivytry> * > I believe this is because your service there doesn't require any > authentcation at all. Apache HttpClient doesn't do preemptive > authentication, it only sends credentials when really necessary. This is > understandable from a security perspective. Why send credentials to > somebody who never wanted them in the first place. > So it performs an HTTP GET without any credentials and if this request > succeeds, that's it. And this happens with your beeceptor example. > You probably need to make beeceptor return 401 on the first request > answering with > WWW-Authenticate: Basic realm=Basic > or the configured credentials are not going to be ever used. Taking a closer look at Ivy's code, your credentials' configuration must exactly match what is returned by the server. So you should probably perform an curl unauthenticated request (or whatever HTTP client you prefer) and examine the response headers of the 401 response to know which realm and host to set. Leaving off the optional realm in <credentials> is only going to match WWW-Authenticate headers without any "realm" at all. Stefan
