Re: NullPointerException while resolving dependency

2023-03-20 Thread Stefan Bodewig 
On 2023-03-20, Stefan Bodewig wrote:

> On 2023-03-20, Stefan Bodewig wrote:

>> Hi

>> On 2023-03-20, Kamran Manzoor wrote:

>>> Thanks a lot for looking into this. I thought the issue was request related
>>> but it is in response handling. It means it does trigger the request which
>>> I have verified and it seems like the auth header is missing :(. I have
>>> tried with default URL handler and even with older ivy version 2.4.0 with
>>> older commons-httpclient. Nothing seems to send the auth header with
>>> credentials :(. You may simply run this example i.e., *ant -verbose
>>> retrieve* and see the request captured here:
>>> *https://beeceptor.com/console/ivytry
>>>  *

>> I believe this is because your service there doesn't require any
>> authentcation at all. Apache HttpClient doesn't do preemptive
>> authentication, it only sends credentials when really necessary. This is
>> understandable from a security perspective. Why send credentials to
>> somebody who never wanted them in the first place.

>> So it performs an HTTP GET without any credentials and if this request
>> succeeds, that's it. And this happens with your beeceptor example.

>> You probably need to make beeceptor return 401 on the first request
>> answering with

>> WWW-Authenticate: Basic realm=Basic

>> or the configured credentials are not going to be ever used.

> Taking a closer look at Ivy's code, your credentials' configuration must
> exactly match what is returned by the server. So you should probably
> perform an curl unauthenticated request (or whatever HTTP client you
> prefer) and examine the response headers of the 401 response to know
> which realm and host to set. Leaving off the optional realm in
>  is only going to match WWW-Authenticate headers without
> any "realm" at all.

One final thing, I just found
https://developer.atlassian.com/server/bitbucket/how-tos/example-basic-authentication/

Take a look at the last paragraph. Iyv is a "http client software [that]
expects to receive an authentication challenge before it will send an
authorization header" - and currently there is no way to enforce
authentication.

At least this is true when using Apache HttpClient. I haven't checked
whether java.net.URLConnection ever consults the configured
Authenticator - but wouldn't be surprised if it doesn't do so by default
either.

Stefan

Re: NullPointerException while resolving dependency

2023-03-20 Thread Stefan Bodewig 
On 2023-03-20, Stefan Bodewig wrote:

> Hi

> On 2023-03-20, Kamran Manzoor wrote:

>> Thanks a lot for looking into this. I thought the issue was request related
>> but it is in response handling. It means it does trigger the request which
>> I have verified and it seems like the auth header is missing :(. I have
>> tried with default URL handler and even with older ivy version 2.4.0 with
>> older commons-httpclient. Nothing seems to send the auth header with
>> credentials :(. You may simply run this example i.e., *ant -verbose
>> retrieve* and see the request captured here:
>> *https://beeceptor.com/console/ivytry
>>  *

> I believe this is because your service there doesn't require any
> authentcation at all. Apache HttpClient doesn't do preemptive
> authentication, it only sends credentials when really necessary. This is
> understandable from a security perspective. Why send credentials to
> somebody who never wanted them in the first place.

> So it performs an HTTP GET without any credentials and if this request
> succeeds, that's it. And this happens with your beeceptor example.

> You probably need to make beeceptor return 401 on the first request
> answering with

> WWW-Authenticate: Basic realm=Basic

> or the configured credentials are not going to be ever used.

Taking a closer look at Ivy's code, your credentials' configuration must
exactly match what is returned by the server. So you should probably
perform an curl unauthenticated request (or whatever HTTP client you
prefer) and examine the response headers of the 401 response to know
which realm and host to set. Leaving off the optional realm in
 is only going to match WWW-Authenticate headers without
any "realm" at all.

Stefan

Re: NullPointerException while resolving dependency

2023-03-20 Thread Stefan Bodewig 
Hi

On 2023-03-20, Kamran Manzoor wrote:

> Thanks a lot for looking into this. I thought the issue was request related
> but it is in response handling. It means it does trigger the request which
> I have verified and it seems like the auth header is missing :(. I have
> tried with default URL handler and even with older ivy version 2.4.0 with
> older commons-httpclient. Nothing seems to send the auth header with
> credentials :(. You may simply run this example i.e., *ant -verbose
> retrieve* and see the request captured here:
> *https://beeceptor.com/console/ivytry
>  *

I believe this is because your service there doesn't require any
authentcation at all. Apache HttpClient doesn't do preemptive
authentication, it only sends credentials when really necessary. This is
understandable from a security perspective. Why send credentials to
somebody who never wanted them in the first place.

So it performs an HTTP GET without any credentials and if this request
succeeds, that's it. And this happens with your beeceptor example.

You probably need to make beeceptor return 401 on the first request
answering with

WWW-Authenticate: Basic realm=Basic

or the configured credentials are not going to be ever used.

Stefan

RE: Re: NullPointerException while resolving dependency

2023-03-20 Thread Kamran Manzoor 
Hi Stefan,

Thanks a lot for looking into this. I thought the issue was request related
but it is in response handling. It means it does trigger the request which
I have verified and it seems like the auth header is missing :(. I have
tried with default URL handler and even with older ivy version 2.4.0 with
older commons-httpclient. Nothing seems to send the auth header with
credentials :(. You may simply run this example i.e., *ant -verbose
retrieve* and see the request captured here:
*https://beeceptor.com/console/ivytry
 *

I have spent quite some time without luck but I might be doing something
wrong. I would greatly appreciate any pointers.

Kind Regards,
Kamran Manzoor

On 2023/03/17 12:00:23 Stefan Bodewig wrote:
> On 2023-03-17, Stefan Bodewig wrote:
>
> > On 2023-03-17, Stefan Bodewig wrote:
>
> >> and will open a JIRA ticket attaching oyur files when using Apache
> >> HttpClient.
>
> > https://issues.apache.org/jira/browse/IVY-1641
>
> should be fixed by
>
https://github.com/apache/ant-ivy/commit/c63ce79f52133857d1146cd2335d51178714effd
>
> Stefan
>