[jira] [Commented] (IVY-1280) Ivy does not keep track of HTTP session when BASIC authentication is used

Fri, 12 Jun 2026 23:43:12 -0700 


    [ 
https://issues.apache.org/jira/browse/IVY-1280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18088689#comment-18088689
 ] 

Stefan Bodewig commented on IVY-1280:
-------------------------------------

I'm obviously late to the discussion. :-) - I'm not requesting changes, just 
voicing opinions.

What bothers me a bit about the concrete patch is its global nature, you enable 
it for all connections with credentials, not selectively just for one host. 
Maybe having the setting where credentials are configured would be better. And 
while I am in wish-land it would be great if I could also set that credentials 
must not be sent with unencrypted requests (which would be a separate issue), 
pre-emptive or not.

Small nits: Even if digest shares the cache with basic auth, preemptive auth 
cannot work as it is a challenge response scheme. Bearer Tokens could also 
technically use preemptive authentication, nut Ivy doesn't support that. And 
the link to the httpclient docs has moved by now to 
https://hc.apache.org/httpcomponents-client-4.5.x/current/tutorial/html/authentication.html#d5e717


> Ivy does not keep track of HTTP session when BASIC authentication is used
> -------------------------------------------------------------------------
>
>                 Key: IVY-1280
>                 URL: https://issues.apache.org/jira/browse/IVY-1280
>             Project: Ivy
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.2.0
>         Environment: Any
>            Reporter: Anders Jacobsson
>            Priority: Minor
>
> When publishing through <ant:publish>, each PUT request towards the URL 
> resolver (Artifactory, protected with BASIC authentication) seems to be 
> duplicated, the first request without any authorization header and the second 
> one with. This creates unnecessary network traffic and increases build time. 
> Ivy should keep track of any established HTTP session and reuse that one, 
> i.e. only the very first request is duplicated.
> I am using Commons HttpClient.
> An alternative would be to expose preemptive authentication so that it is 
> configurable. It is less secure but still useful as it would probably mostly 
> be used for internal resolvers.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to