You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ant.apache.org by GitBox <gi...@apache.org> on 2021/12/20 13:12:42 UTC
[GitHub] [ant] bernolanger opened a new pull request #173: Allow ant:get task to disable authentication on redirect.
bernolanger opened a new pull request #173:
URL: https://github.com/apache/ant/pull/173
Most clients do not send the Authorization header on redirects by default; because of security issues.
The ant:get task instead, always sends the Authorization header to the redirected location.
This PR makes this behavior configurable. The optional attribute "authenticateOnRedirect" can be set to "false".
I'm not a security expert. Therefore I didn't change the default behavior to avoid breaking existing Ant scripts. This means, "authenticateOnRedirect" defaults to "true". But maybe it would be better to change this.
_Example: getting an artifact from AWS CodeArtifact which redirects to a pre signed URL and therefore mustn't contain the Authorization header:_
```
<get src="https://codeartifact-url/..." username="aws" password="<secret>" dest="..." authenticateOnRedirect="false">
<header name="Accept" value="*/*"/>
</get>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
[GitHub] [ant] jaikiran commented on pull request #173: Allow ant:get task to disable authentication on redirect.
Posted by GitBox <gi...@apache.org>.
jaikiran commented on pull request #173:
URL: https://github.com/apache/ant/pull/173#issuecomment-1000029159
>Therefore I didn't change the default behavior to avoid breaking existing Ant scripts. This means, "authenticateOnRedirect" defaults to "true". But maybe it would be better to change this.
I was leaning towards making this new `authenticateOnRedirect` to default to `false` to be more secure (i.e. don't set Authorization header to redirected URL unless explicitly asked to). That might break scripts but I think that's probably a good thing since it would force users to review their target URLs and decide if they really want to send the auth header on redirect for that specific URL.
The only place where this would probably be a nuisance is if the redirect is happening just for the scheme. What I mean is if the original URL `http://example.com/foo` was redirecting to `https://example.com/foo`. Or even in some cases where servers redirect a URL of the form `http://example.com/foo` to `http://example.com/foo/` (slash at the end). So yes, I guess leaving the current backward compatible behaviour is OK.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
[GitHub] [ant] bodewig commented on pull request #173: Allow ant:get task to disable authentication on redirect.
Posted by GitBox <gi...@apache.org>.
bodewig commented on pull request #173:
URL: https://github.com/apache/ant/pull/173#issuecomment-999741812
many thanks @bernolanger
we'd like to credit you in CONTRIBUTORS and contributors.xml. What is the name you'd want us to use?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
[GitHub] [ant] bodewig commented on pull request #173: Allow ant:get task to disable authentication on redirect.
Posted by GitBox <gi...@apache.org>.
bodewig commented on pull request #173:
URL: https://github.com/apache/ant/pull/173#issuecomment-1000436715
you are right @jaikiran, I'll change the default.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org
[GitHub] [ant] bodewig merged pull request #173: Allow ant:get task to disable authentication on redirect.
Posted by GitBox <gi...@apache.org>.
bodewig merged pull request #173:
URL: https://github.com/apache/ant/pull/173
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org