Hi Alex On 2024-03-18, Alex Galvin wrote:
> However, Ant/Ivy errors out in this configuration, and I can see from > logs that it is not using my credentials to authenticate to the server > at port 8080. I fixed this issue by editing the host attribute of the > credentials element to exclude the port number, simply writing > host="localhost" rather than host="localhost:8080". While this > behaviour does align with the technical meaning of "hostname" as a > server located at an IP address (or several), to me it is > counterintuitive as it implies that Ivy cannot access different URLs > on the same host unless identical credentials are used for both. > Is this a bug? If not, is there any way to specify credentials for > each resolver with better-than-hostname granularity? I've just had a quick look at the code. Here is how credentials are used with Apache HttpClient: https://github.com/apache/ant-ivy/blob/503aafc594b777ffb035a457ed341e31334c23a4/src/java/org/apache/ivy/util/url/HttpClientHandler.java#L381 It is the way you observed it, the port is not taken into account at all. Neither is the URI scheme so you wouldn't be able to pin credentials to https only if you wanted to avoid leaking them over unencrypted connections by accident. It does take the Basic auth realm into account, though, so this may or may not help in your case. Not that it would be of any help against leaking credentials if the attacker can chose the realm. I don't see any way to make the current version of Ivy use the port. Cheers Stefan
