bernolanger opened a new pull request #173: URL: https://github.com/apache/ant/pull/173
Most clients do not send the Authorization header on redirects by default; because of security issues. The ant:get task instead, always sends the Authorization header to the redirected location. This PR makes this behavior configurable. The optional attribute "authenticateOnRedirect" can be set to "false". I'm not a security expert. Therefore I didn't change the default behavior to avoid breaking existing Ant scripts. This means, "authenticateOnRedirect" defaults to "true". But maybe it would be better to change this. _Example: getting an artifact from AWS CodeArtifact which redirects to a pre signed URL and therefore mustn't contain the Authorization header:_ ``` <get src="https://codeartifact-url/..."; username="aws" password="<secret>" dest="..." authenticateOnRedirect="false"> <header name="Accept" value="*/*"/> </get> ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
