You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@archiva.apache.org by "Arnaud Heritier (JIRA)" <ji...@codehaus.org> on 2008/08/14 17:26:26 UTC

[jira] Commented: (MRM-911) Archiva checks user's credentials before guest's rights on the repository

    [ http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145051#action_145051 ] 

Arnaud Heritier commented on MRM-911:
-------------------------------------

A workaround is to say to apache (>2.0) to not forward credentials :
{code:xml}
  <Location /archiva/repository/>
    RequestHeader unset authorization
  </Location>
{code}

> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
>                 Key: MRM-911
>                 URL: http://jira.codehaus.org/browse/MRM-911
>             Project: Archiva
>          Issue Type: Bug
>          Components: Users/Security
>    Affects Versions: 1.1.1
>         Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
>            Reporter: Arnaud Heritier
>             Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is  the same.)
> To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
> I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
> When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and it works.
> I think archiva should check guest rights before to try to logon the user.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira