Stefan Bodewig created IVY-1668:
-----------------------------------
Summary: Allow Credentials to be Restricted by Scheme
Key: IVY-1668
URL: https://issues.apache.org/jira/browse/IVY-1668
Project: Ivy
Issue Type: Improvement
Components: Core
Affects Versions: 2.5.3
Reporter: Stefan Bodewig
Right now credentials in IVy's settings can be restricted by host and realm but
not by URI scheme, which may lead to sending credentials over unencrypted
network connections.
I think we should add an (optional) scheme to the credentials and only us the
credential if the URI's scheme matches when it is configured. And we should
probably strongly recommend setting it to https. One could even argue https
should be the default and people would need to set it to "any" or something
like this to use credentials for all schemes.
If Ivy added preemptive authentication (see IVY-1280) the realm would be
ignored there as Ivy doesn't know the realm without ever seeing an Unauthorized
response with `WWW-Authenticate` header, removing one layer of protection.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
