On 2023-03-20, Stefan Bodewig wrote: > On 2023-03-20, Stefan Bodewig wrote:
>> Hi >> On 2023-03-20, Kamran Manzoor wrote: >>> Thanks a lot for looking into this. I thought the issue was request related >>> but it is in response handling. It means it does trigger the request which >>> I have verified and it seems like the auth header is missing :(. I have >>> tried with default URL handler and even with older ivy version 2.4.0 with >>> older commons-httpclient. Nothing seems to send the auth header with >>> credentials :(. You may simply run this example i.e., *ant -verbose >>> retrieve* and see the request captured here: >>> *https://beeceptor.com/console/ivytry >>> <https://beeceptor.com/console/ivytry> * >> I believe this is because your service there doesn't require any >> authentcation at all. Apache HttpClient doesn't do preemptive >> authentication, it only sends credentials when really necessary. This is >> understandable from a security perspective. Why send credentials to >> somebody who never wanted them in the first place. >> So it performs an HTTP GET without any credentials and if this request >> succeeds, that's it. And this happens with your beeceptor example. >> You probably need to make beeceptor return 401 on the first request >> answering with >> WWW-Authenticate: Basic realm=Basic >> or the configured credentials are not going to be ever used. > Taking a closer look at Ivy's code, your credentials' configuration must > exactly match what is returned by the server. So you should probably > perform an curl unauthenticated request (or whatever HTTP client you > prefer) and examine the response headers of the 401 response to know > which realm and host to set. Leaving off the optional realm in > <credentials> is only going to match WWW-Authenticate headers without > any "realm" at all. One final thing, I just found https://developer.atlassian.com/server/bitbucket/how-tos/example-basic-authentication/ Take a look at the last paragraph. Iyv is a "http client software [that] expects to receive an authentication challenge before it will send an authorization header" - and currently there is no way to enforce authentication. At least this is true when using Apache HttpClient. I haven't checked whether java.net.URLConnection ever consults the configured Authenticator - but wouldn't be surprised if it doesn't do so by default either. Stefan
