Re: URL resolver ignores port numbers specified in Ivysettings credentials element

[Stefan Bodewig]

Hi Alex

On 2024-03-18, Alex Galvin wrote:

> However, Ant/Ivy errors out in this configuration, and I can see from
> logs that it is not using my credentials to authenticate to the server
> at port 8080. I fixed this issue by editing the host attribute of the
> credentials element to exclude the port number, simply writing
> host="localhost" rather than host="localhost:8080". While this
> behaviour does align with the technical meaning of "hostname" as a
> server located at an IP address (or several), to me it is
> counterintuitive as it implies that Ivy cannot access different URLs
> on the same host unless identical credentials are used for both.

> Is this a bug? If not, is there any way to specify credentials for
> each resolver with better-than-hostname granularity?

I've just had a quick look at the code. Here is how credentials are used
with Apache HttpClient:
https://github.com/apache/ant-ivy/blob/503aafc594b777ffb035a457ed341e31334c23a4/src/java/org/apache/ivy/util/url/HttpClientHandler.java#L381

It is the way you observed it, the port is not taken into account at
all. Neither is the URI scheme so you wouldn't be able to pin
credentials to https only if you wanted to avoid leaking them over
unencrypted connections by accident.

It does take the Basic auth realm into account, though, so this may or
may not help in your case. Not that it would be of any help against
leaking credentials if the attacker can chose the realm.

I don't see any way to make the current version of Ivy use the port.

Cheers

Stefan

URL resolver ignores port numbers specified in Ivysettings credentials element

[Alex Galvin]

Hello all,

I am in the process of adjusting our company's build process to host our 
artifacts in an internal Maven repository. I have an ivysettings.xml file with 
two resolvers: a 'download' ibiblio resolver pointed to our repository, and a 
URL resolver that PUTs the built artifacts in the repository after compilation. 
Both resolvers point to a Maven repository hosted locally on port 8080, and the 
file also has a credentials element for the host`localhost:8080`.

However, Ant/Ivy errors out in this configuration, and I can see from logs that 
it is not using my credentials to authenticate to the server at port 8080. I 
fixed this issue by editing the host attribute of the credentials element to 
exclude the port number, simply writing host="localhost" rather than 
host="localhost:8080". While this behaviour does align with the technical 
meaning of "hostname" as a server located at an IP address (or several), to me 
it is counterintuitive as it implies that Ivy cannot access different URLs on 
the same host unless identical credentials are used for both.

Is this a bug? If not, is there any way to specify credentials for each 
resolver with better-than-hostname granularity?

Thanks,
Alex Galvin