Hi, On Tue, Mar 20, 2012 at 11:28 PM, Olivier Lamy <[email protected]> wrote: > BTW do we consider adding a warning in 3.0.5 if id != host and fail in 3.0.6 > or fail directly in 3.0.5
Why not deprecate the id entry then instead of forcing users to set both to the same value? BTW, I don't see that preemptive authentication makes things worse regarding security because an attacker could answer with a 401 to get the credentials even without preemptive authentication. However, use of preemptive authentication introduced a regression for us. Users had a server section in their settings.xml for our Nexus, but we later changed Nexus to allow anonymous access. Without preemptive authentication that worked because the unauthenticated access was successful. With preemptive, users received a 403 because the user/password combination wasn't valid any more. Sascha --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
