You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@archiva.apache.org by Olivier Lamy <ol...@apache.org> on 2017/05/08 10:57:11 UTC
Re: Rest validation url
Hi
I missed to say but all good here
Thanks!!
Olivier
On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
> Hi
> I stopped Archiva.
> It's now restarted builds will be deployed.
> I will try to test during the weekend.
> Thanks!
> Olivier
>
> On 28 April 2017 at 15:34, Martin Stockhammer <ma...@apache.org> wrote:
>
>> Hi Olivier,
>>
>> I think I have fixed the configuration issue. And modified the header
>> checks. You should be able to add a comma separated list for the
>> rest.baseUrl param.
>> Could you please check with the latest source. The Jenkins builds
>> currently fail, because there seems something wrong with the repository
>> server or the latest snapshot builds that were uploaded. I'm not sure if
>> this is related to your changes on the repository server or another issue.
>>
>> Cheers
>>
>> Martin
>>
>>
>>
>> --
>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>
>
>
>
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Olivier Lamy <ol...@apache.org>.
Hi
just deployed a fresh build to our new instance and all good!!!
Feel free to release.
I will work in parallel to upgrade Jetty (but can be in next release)
Thanks for your hard work!!!
On 11 May 2017 at 07:47, Martin <ma...@apache.org> wrote:
> Great to hear!
> I added a fix for the dynamic case with the reverse proxy (the header can
> contain host lists as I have learned now).
>
> Additionally I added an improvement for the repository checks (see
> MRM-1933).
>
> If your deployment works well, I would like to restart the release process
> with the current master branch (archiva 2.2.3, redback 2.6).
>
> Greetings
>
> Martin
>
>
>
> Am Mittwoch, 10. Mai 2017, 21:37:20 CEST schrieb Olivier Lamy:
> > Hi Martin
> > Works fine now with archiva.xml (little issue when not logged I pushed a
> > fix in master and will deploy on
> > https://archiva-repository.apache.org/archiva tomorrow)
> >
> > Yes I agree all this configuration model must be cleaned (some
> legacy....)
> >
> > On 9 May 2017 at 05:31, Martin <ma...@apache.org> wrote:
> > > After reconsidering the configuration process I think
> security.properties
> > > cannot really work (as I think it should have worked).
> > > When the redback runtime configuration properties are changed (e.g. via
> > > the
> > > WebUI) . The whole property set (inclusive defaults) is written to
> > > archiva.xml. And these values always overwrite the values of
> > > security.properties.
> > > So security.properties is included because of historic reasons, to
> allow
> > > better migration of existing configurations. But after the properties
> are
> > > written to archiva.xml, the values in security.properties are not
> relevant
> > > anymore.
> > >
> > > Greetings
> > >
> > > Martin
> > >
> > > Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> > > > Hi Olivier,
> > > >
> > > > it seems the security.properties is ignored (at least when the
> > >
> > > configuration
> > >
> > > > is read by the interceptor). I thought the files are read in the
> order
> > > > as
> > > > defined in applicationContext.xml but that seems not to be the case.
> > > >
> > > > So for the first start, could you please put it in archiva.xml:
> > > > <redbackRuntimeConfiguration>
> > > >
> > > > ...
> > > >
> > > > <configurationProperties>
> > > >
> > > > ...
> > > >
> > > > <rest>
> > > >
> > > > <csrffilter>
> > > >
> > > > <enabled>true</enabled>
> > > > <disableTokenValidation>false</disableTokenValidation>
> > > > <absentorigin>
> > > >
> > > > <deny>true</deny>
> > > >
> > > > </absentorigin>
> > > >
> > > > </csrffilter>
> > > > <baseUrl>http://archiva-repository.apache.org</baseUrl>
> > > > <baseUrl>http://localhost:9191</baseUrl>
> > > > <baseUrl>https://archiva-repository.apache.org</baseUrl>
> > > >
> > > > </rest>
> > > >
> > > > ...
> > > >
> > > > </configurationProperties>
> > > >
> > > > ...
> > > > </redbackRuntimeConfiguration>
> > > >
> > > > And could you please set the log level for the interceptor to trace:
> > > >
> > > > <logger
> > > > name="org.apache.archiva.redback.rest.services.
> > >
> > > interceptors.RequestValidatio
> > >
> > > > nInterceptor" level="trace" />
> > > >
> > > >
> > > > And for the dynamic case (ignored configuration) the retrieval of the
> > >
> > > target
> > >
> > > > URL seems not to work as expected. It would be helpful, if you could
> > > > extract/ log the HTTP headers that are sent with the request.
> > > > I'm not sure, if jetty in this version can log HTTP headers. Another
> > > > possibility would be tcpdump on the server.
> > > >
> > > > Thanks for your help.
> > > >
> > > >
> > > > Martin
> > > >
> > > > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > > > > I have a security.properties file in
> > > > > ${appserver.base}/conf with this but doesn't work.
> > > > >
> > > > > rest.baseUrl=http://archiva-repository.apache.org,http://
> > >
> > > localhost:9191,
> > >
> > > > > https://archiva-repository.apache.org
> > > > >
> > > > > rest.csrffilter.enabled=false
> > > > >
> > > > >
> > > > > But still getting
> > > > >
> > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > > >
> > > > > org.apache.archiva.redback.rest.services.interceptors.
> > >
> > > RequestValidationIn
> > >
> > > > > te
> > > > >
> > > > > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > > > >
> > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > > >
> > > > > org.apache.archiva.redback.rest.services.interceptors.
> > >
> > > RequestValidationIn
> > >
> > > > > te
> > > > >
> > > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > > https://archiva-repository.apache.org/archiva/index.html?
> > >
> > > request_lang=en,
> > >
> > > > > targetUrl=
> > > > > http://localhost:9191/restServices/archivaServices/
> > >
> > > commonServices/getAllI1
> > >
> > > > > 8n Resources. Matches: Host=false, Port=false2017-05-08
> 10:59:15,091
> > > > > [qtp1614464539-68] WARN
> > > > >
> > > > > org.apache.archiva.redback.rest.services.interceptors.
> > >
> > > RequestValidationIn
> > >
> > > > > te
> > > > >
> > > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > > https://archiva-repository.apache.org/archiva/index.html?
> > >
> > > request_lang=en,
> > >
> > > > > targetUrl=http://archiva-repository.apache.org,
> > > > > archiva-repository.apache.org. Matches: Host=false, Port=false
> > > > >
> > > > > On 8 May 2017 at 21:09, Olivier Lamy <ol...@apache.org> wrote:
> > > > > > uhm I talked too fast :-(
> > > > > > Let me check more seriously
> > > > > >
> > > > > > On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
> > > > > >> Hi
> > > > > >> I missed to say but all good here
> > > > > >> Thanks!!
> > > > > >> Olivier
> > > > > >>
> > > > > >> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org>
> wrote:
> > > > > >>> Hi
> > > > > >>> I stopped Archiva.
> > > > > >>> It's now restarted builds will be deployed.
> > > > > >>> I will try to test during the weekend.
> > > > > >>> Thanks!
> > > > > >>> Olivier
> > > > > >>>
> > > > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <
> martin_s@apache.org
> > > > > >>>
> > > > > >>> wrote:
> > > > > >>>> Hi Olivier,
> > > > > >>>>
> > > > > >>>> I think I have fixed the configuration issue. And modified the
> > >
> > > header
> > >
> > > > > >>>> checks. You should be able to add a comma separated list for
> the
> > > > > >>>> rest.baseUrl param.
> > > > > >>>> Could you please check with the latest source. The Jenkins
> builds
> > > > > >>>> currently fail, because there seems something wrong with the
> > > > > >>>> repository
> > > > > >>>> server or the latest snapshot builds that were uploaded. I'm
> not
> > >
> > > sure
> > >
> > > > > >>>> if
> > > > > >>>> this is related to your changes on the repository server or
> > >
> > > another
> > >
> > > > > >>>> issue.
> > > > > >>>>
> > > > > >>>> Cheers
> > > > > >>>>
> > > > > >>>> Martin
> > > > > >>>>
> > > > > >>>>
> > > > > >>>>
> > > > > >>>> --
> > > > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail
> > >
> > > gesendet.
> > >
> > > > > >>> --
> > > > > >>> Olivier Lamy
> > > > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > > >>
> > > > > >> --
> > > > > >> Olivier Lamy
> > > > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > > >
> > > > > > --
> > > > > > Olivier Lamy
> > > > > > http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Martin <ma...@apache.org>.
Great to hear!
I added a fix for the dynamic case with the reverse proxy (the header can
contain host lists as I have learned now).
Additionally I added an improvement for the repository checks (see MRM-1933).
If your deployment works well, I would like to restart the release process
with the current master branch (archiva 2.2.3, redback 2.6).
Greetings
Martin
Am Mittwoch, 10. Mai 2017, 21:37:20 CEST schrieb Olivier Lamy:
> Hi Martin
> Works fine now with archiva.xml (little issue when not logged I pushed a
> fix in master and will deploy on
> https://archiva-repository.apache.org/archiva tomorrow)
>
> Yes I agree all this configuration model must be cleaned (some legacy....)
>
> On 9 May 2017 at 05:31, Martin <ma...@apache.org> wrote:
> > After reconsidering the configuration process I think security.properties
> > cannot really work (as I think it should have worked).
> > When the redback runtime configuration properties are changed (e.g. via
> > the
> > WebUI) . The whole property set (inclusive defaults) is written to
> > archiva.xml. And these values always overwrite the values of
> > security.properties.
> > So security.properties is included because of historic reasons, to allow
> > better migration of existing configurations. But after the properties are
> > written to archiva.xml, the values in security.properties are not relevant
> > anymore.
> >
> > Greetings
> >
> > Martin
> >
> > Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> > > Hi Olivier,
> > >
> > > it seems the security.properties is ignored (at least when the
> >
> > configuration
> >
> > > is read by the interceptor). I thought the files are read in the order
> > > as
> > > defined in applicationContext.xml but that seems not to be the case.
> > >
> > > So for the first start, could you please put it in archiva.xml:
> > > <redbackRuntimeConfiguration>
> > >
> > > ...
> > >
> > > <configurationProperties>
> > >
> > > ...
> > >
> > > <rest>
> > >
> > > <csrffilter>
> > >
> > > <enabled>true</enabled>
> > > <disableTokenValidation>false</disableTokenValidation>
> > > <absentorigin>
> > >
> > > <deny>true</deny>
> > >
> > > </absentorigin>
> > >
> > > </csrffilter>
> > > <baseUrl>http://archiva-repository.apache.org</baseUrl>
> > > <baseUrl>http://localhost:9191</baseUrl>
> > > <baseUrl>https://archiva-repository.apache.org</baseUrl>
> > >
> > > </rest>
> > >
> > > ...
> > >
> > > </configurationProperties>
> > >
> > > ...
> > > </redbackRuntimeConfiguration>
> > >
> > > And could you please set the log level for the interceptor to trace:
> > >
> > > <logger
> > > name="org.apache.archiva.redback.rest.services.
> >
> > interceptors.RequestValidatio
> >
> > > nInterceptor" level="trace" />
> > >
> > >
> > > And for the dynamic case (ignored configuration) the retrieval of the
> >
> > target
> >
> > > URL seems not to work as expected. It would be helpful, if you could
> > > extract/ log the HTTP headers that are sent with the request.
> > > I'm not sure, if jetty in this version can log HTTP headers. Another
> > > possibility would be tcpdump on the server.
> > >
> > > Thanks for your help.
> > >
> > >
> > > Martin
> > >
> > > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > > > I have a security.properties file in
> > > > ${appserver.base}/conf with this but doesn't work.
> > > >
> > > > rest.baseUrl=http://archiva-repository.apache.org,http://
> >
> > localhost:9191,
> >
> > > > https://archiva-repository.apache.org
> > > >
> > > > rest.csrffilter.enabled=false
> > > >
> > > >
> > > > But still getting
> > > >
> > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > >
> > > > org.apache.archiva.redback.rest.services.interceptors.
> >
> > RequestValidationIn
> >
> > > > te
> > > >
> > > > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > > >
> > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > >
> > > > org.apache.archiva.redback.rest.services.interceptors.
> >
> > RequestValidationIn
> >
> > > > te
> > > >
> > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > https://archiva-repository.apache.org/archiva/index.html?
> >
> > request_lang=en,
> >
> > > > targetUrl=
> > > > http://localhost:9191/restServices/archivaServices/
> >
> > commonServices/getAllI1
> >
> > > > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> > > > [qtp1614464539-68] WARN
> > > >
> > > > org.apache.archiva.redback.rest.services.interceptors.
> >
> > RequestValidationIn
> >
> > > > te
> > > >
> > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > https://archiva-repository.apache.org/archiva/index.html?
> >
> > request_lang=en,
> >
> > > > targetUrl=http://archiva-repository.apache.org,
> > > > archiva-repository.apache.org. Matches: Host=false, Port=false
> > > >
> > > > On 8 May 2017 at 21:09, Olivier Lamy <ol...@apache.org> wrote:
> > > > > uhm I talked too fast :-(
> > > > > Let me check more seriously
> > > > >
> > > > > On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
> > > > >> Hi
> > > > >> I missed to say but all good here
> > > > >> Thanks!!
> > > > >> Olivier
> > > > >>
> > > > >> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
> > > > >>> Hi
> > > > >>> I stopped Archiva.
> > > > >>> It's now restarted builds will be deployed.
> > > > >>> I will try to test during the weekend.
> > > > >>> Thanks!
> > > > >>> Olivier
> > > > >>>
> > > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <martin_s@apache.org
> > > > >>>
> > > > >>> wrote:
> > > > >>>> Hi Olivier,
> > > > >>>>
> > > > >>>> I think I have fixed the configuration issue. And modified the
> >
> > header
> >
> > > > >>>> checks. You should be able to add a comma separated list for the
> > > > >>>> rest.baseUrl param.
> > > > >>>> Could you please check with the latest source. The Jenkins builds
> > > > >>>> currently fail, because there seems something wrong with the
> > > > >>>> repository
> > > > >>>> server or the latest snapshot builds that were uploaded. I'm not
> >
> > sure
> >
> > > > >>>> if
> > > > >>>> this is related to your changes on the repository server or
> >
> > another
> >
> > > > >>>> issue.
> > > > >>>>
> > > > >>>> Cheers
> > > > >>>>
> > > > >>>> Martin
> > > > >>>>
> > > > >>>>
> > > > >>>>
> > > > >>>> --
> > > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail
> >
> > gesendet.
> >
> > > > >>> --
> > > > >>> Olivier Lamy
> > > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > >>
> > > > >> --
> > > > >> Olivier Lamy
> > > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > >
> > > > > --
> > > > > Olivier Lamy
> > > > > http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Olivier Lamy <ol...@apache.org>.
Hi Martin
Works fine now with archiva.xml (little issue when not logged I pushed a
fix in master and will deploy on
https://archiva-repository.apache.org/archiva tomorrow)
Yes I agree all this configuration model must be cleaned (some legacy....)
On 9 May 2017 at 05:31, Martin <ma...@apache.org> wrote:
> After reconsidering the configuration process I think security.properties
> cannot really work (as I think it should have worked).
> When the redback runtime configuration properties are changed (e.g. via the
> WebUI) . The whole property set (inclusive defaults) is written to
> archiva.xml. And these values always overwrite the values of
> security.properties.
> So security.properties is included because of historic reasons, to allow
> better migration of existing configurations. But after the properties are
> written to archiva.xml, the values in security.properties are not relevant
> anymore.
>
> Greetings
>
> Martin
>
>
> Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> > Hi Olivier,
> >
> > it seems the security.properties is ignored (at least when the
> configuration
> > is read by the interceptor). I thought the files are read in the order as
> > defined in applicationContext.xml but that seems not to be the case.
> >
> > So for the first start, could you please put it in archiva.xml:
> > <redbackRuntimeConfiguration>
> > ...
> > <configurationProperties>
> > ...
> > <rest>
> > <csrffilter>
> > <enabled>true</enabled>
> > <disableTokenValidation>false</disableTokenValidation>
> > <absentorigin>
> > <deny>true</deny>
> > </absentorigin>
> > </csrffilter>
> > <baseUrl>http://archiva-repository.apache.org</baseUrl>
> > <baseUrl>http://localhost:9191</baseUrl>
> > <baseUrl>https://archiva-repository.apache.org</baseUrl>
> > </rest>
> > ...
> > </configurationProperties>
> > ...
> > </redbackRuntimeConfiguration>
> >
> > And could you please set the log level for the interceptor to trace:
> >
> > <logger
> > name="org.apache.archiva.redback.rest.services.
> interceptors.RequestValidatio
> > nInterceptor" level="trace" />
> >
> >
> > And for the dynamic case (ignored configuration) the retrieval of the
> target
> > URL seems not to work as expected. It would be helpful, if you could
> > extract/ log the HTTP headers that are sent with the request.
> > I'm not sure, if jetty in this version can log HTTP headers. Another
> > possibility would be tcpdump on the server.
> >
> > Thanks for your help.
> >
> >
> > Martin
> >
> > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > > I have a security.properties file in
> > > ${appserver.base}/conf with this but doesn't work.
> > >
> > > rest.baseUrl=http://archiva-repository.apache.org,http://
> localhost:9191,
> > > https://archiva-repository.apache.org
> > >
> > > rest.csrffilter.enabled=false
> > >
> > >
> > > But still getting
> > >
> > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > >
> > > org.apache.archiva.redback.rest.services.interceptors.
> RequestValidationIn
> > > te
> > >
> > > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > >
> > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > >
> > > org.apache.archiva.redback.rest.services.interceptors.
> RequestValidationIn
> > > te
> > >
> > > rceptor [] - Referer Header does not match: refererUrl=
> > > https://archiva-repository.apache.org/archiva/index.html?
> request_lang=en,
> > > targetUrl=
> > > http://localhost:9191/restServices/archivaServices/
> commonServices/getAllI1
> > > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> > > [qtp1614464539-68] WARN
> > >
> > > org.apache.archiva.redback.rest.services.interceptors.
> RequestValidationIn
> > > te
> > >
> > > rceptor [] - Referer Header does not match: refererUrl=
> > > https://archiva-repository.apache.org/archiva/index.html?
> request_lang=en,
> > > targetUrl=http://archiva-repository.apache.org,
> > > archiva-repository.apache.org. Matches: Host=false, Port=false
> > >
> > > On 8 May 2017 at 21:09, Olivier Lamy <ol...@apache.org> wrote:
> > > > uhm I talked too fast :-(
> > > > Let me check more seriously
> > > >
> > > > On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
> > > >> Hi
> > > >> I missed to say but all good here
> > > >> Thanks!!
> > > >> Olivier
> > > >>
> > > >> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
> > > >>> Hi
> > > >>> I stopped Archiva.
> > > >>> It's now restarted builds will be deployed.
> > > >>> I will try to test during the weekend.
> > > >>> Thanks!
> > > >>> Olivier
> > > >>>
> > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <martin_s@apache.org
> >
> > > >>>
> > > >>> wrote:
> > > >>>> Hi Olivier,
> > > >>>>
> > > >>>> I think I have fixed the configuration issue. And modified the
> header
> > > >>>> checks. You should be able to add a comma separated list for the
> > > >>>> rest.baseUrl param.
> > > >>>> Could you please check with the latest source. The Jenkins builds
> > > >>>> currently fail, because there seems something wrong with the
> > > >>>> repository
> > > >>>> server or the latest snapshot builds that were uploaded. I'm not
> sure
> > > >>>> if
> > > >>>> this is related to your changes on the repository server or
> another
> > > >>>> issue.
> > > >>>>
> > > >>>> Cheers
> > > >>>>
> > > >>>> Martin
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail
> gesendet.
> > > >>>
> > > >>> --
> > > >>> Olivier Lamy
> > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > >>
> > > >> --
> > > >> Olivier Lamy
> > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > >
> > > > --
> > > > Olivier Lamy
> > > > http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Martin <ma...@apache.org>.
After reconsidering the configuration process I think security.properties
cannot really work (as I think it should have worked).
When the redback runtime configuration properties are changed (e.g. via the
WebUI) . The whole property set (inclusive defaults) is written to
archiva.xml. And these values always overwrite the values of
security.properties.
So security.properties is included because of historic reasons, to allow
better migration of existing configurations. But after the properties are
written to archiva.xml, the values in security.properties are not relevant
anymore.
Greetings
Martin
Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> Hi Olivier,
>
> it seems the security.properties is ignored (at least when the configuration
> is read by the interceptor). I thought the files are read in the order as
> defined in applicationContext.xml but that seems not to be the case.
>
> So for the first start, could you please put it in archiva.xml:
> <redbackRuntimeConfiguration>
> ...
> <configurationProperties>
> ...
> <rest>
> <csrffilter>
> <enabled>true</enabled>
> <disableTokenValidation>false</disableTokenValidation>
> <absentorigin>
> <deny>true</deny>
> </absentorigin>
> </csrffilter>
> <baseUrl>http://archiva-repository.apache.org</baseUrl>
> <baseUrl>http://localhost:9191</baseUrl>
> <baseUrl>https://archiva-repository.apache.org</baseUrl>
> </rest>
> ...
> </configurationProperties>
> ...
> </redbackRuntimeConfiguration>
>
> And could you please set the log level for the interceptor to trace:
>
> <logger
> name="org.apache.archiva.redback.rest.services.interceptors.RequestValidatio
> nInterceptor" level="trace" />
>
>
> And for the dynamic case (ignored configuration) the retrieval of the target
> URL seems not to work as expected. It would be helpful, if you could
> extract/ log the HTTP headers that are sent with the request.
> I'm not sure, if jetty in this version can log HTTP headers. Another
> possibility would be tcpdump on the server.
>
> Thanks for your help.
>
>
> Martin
>
> Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > I have a security.properties file in
> > ${appserver.base}/conf with this but doesn't work.
> >
> > rest.baseUrl=http://archiva-repository.apache.org,http://localhost:9191,
> > https://archiva-repository.apache.org
> >
> > rest.csrffilter.enabled=false
> >
> >
> > But still getting
> >
> > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> >
> > org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> > te
> >
> > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> >
> > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> >
> > org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> > te
> >
> > rceptor [] - Referer Header does not match: refererUrl=
> > https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> > targetUrl=
> > http://localhost:9191/restServices/archivaServices/commonServices/getAllI1
> > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> > [qtp1614464539-68] WARN
> >
> > org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> > te
> >
> > rceptor [] - Referer Header does not match: refererUrl=
> > https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> > targetUrl=http://archiva-repository.apache.org,
> > archiva-repository.apache.org. Matches: Host=false, Port=false
> >
> > On 8 May 2017 at 21:09, Olivier Lamy <ol...@apache.org> wrote:
> > > uhm I talked too fast :-(
> > > Let me check more seriously
> > >
> > > On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
> > >> Hi
> > >> I missed to say but all good here
> > >> Thanks!!
> > >> Olivier
> > >>
> > >> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
> > >>> Hi
> > >>> I stopped Archiva.
> > >>> It's now restarted builds will be deployed.
> > >>> I will try to test during the weekend.
> > >>> Thanks!
> > >>> Olivier
> > >>>
> > >>> On 28 April 2017 at 15:34, Martin Stockhammer <ma...@apache.org>
> > >>>
> > >>> wrote:
> > >>>> Hi Olivier,
> > >>>>
> > >>>> I think I have fixed the configuration issue. And modified the header
> > >>>> checks. You should be able to add a comma separated list for the
> > >>>> rest.baseUrl param.
> > >>>> Could you please check with the latest source. The Jenkins builds
> > >>>> currently fail, because there seems something wrong with the
> > >>>> repository
> > >>>> server or the latest snapshot builds that were uploaded. I'm not sure
> > >>>> if
> > >>>> this is related to your changes on the repository server or another
> > >>>> issue.
> > >>>>
> > >>>> Cheers
> > >>>>
> > >>>> Martin
> > >>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
> > >>>
> > >>> --
> > >>> Olivier Lamy
> > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > >>
> > >> --
> > >> Olivier Lamy
> > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > >
> > > --
> > > Olivier Lamy
> > > http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Martin <ma...@apache.org>.
Hi Olivier,
it seems the security.properties is ignored (at least when the configuration
is read by the interceptor). I thought the files are read in the order as
defined in applicationContext.xml but that seems not to be the case.
So for the first start, could you please put it in archiva.xml:
<redbackRuntimeConfiguration>
...
<configurationProperties>
...
<rest>
<csrffilter>
<enabled>true</enabled>
<disableTokenValidation>false</disableTokenValidation>
<absentorigin>
<deny>true</deny>
</absentorigin>
</csrffilter>
<baseUrl>http://archiva-repository.apache.org</baseUrl>
<baseUrl>http://localhost:9191</baseUrl>
<baseUrl>https://archiva-repository.apache.org</baseUrl>
</rest>
...
</configurationProperties>
...
</redbackRuntimeConfiguration>
And could you please set the log level for the interceptor to trace:
<logger
name="org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor"
level="trace" />
And for the dynamic case (ignored configuration) the retrieval of the target
URL seems not to work as expected. It would be helpful, if you could extract/
log the HTTP headers that are sent with the request.
I'm not sure, if jetty in this version can log HTTP headers. Another
possibility would be tcpdump on the server.
Thanks for your help.
Martin
Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> I have a security.properties file in
> ${appserver.base}/conf with this but doesn't work.
>
> rest.baseUrl=http://archiva-repository.apache.org,http://localhost:9191,
> https://archiva-repository.apache.org
>
> rest.csrffilter.enabled=false
>
>
> But still getting
>
> 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInte
> rceptor [] - HTTP Header check failed. Assuming CSRF attack.
>
> 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInte
> rceptor [] - Referer Header does not match: refererUrl=
> https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> targetUrl=
> http://localhost:9191/restServices/archivaServices/commonServices/getAllI18n
> Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> [qtp1614464539-68] WARN
> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInte
> rceptor [] - Referer Header does not match: refererUrl=
> https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> targetUrl=http://archiva-repository.apache.org,
> archiva-repository.apache.org. Matches: Host=false, Port=false
>
> On 8 May 2017 at 21:09, Olivier Lamy <ol...@apache.org> wrote:
> > uhm I talked too fast :-(
> > Let me check more seriously
> >
> > On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
> >> Hi
> >> I missed to say but all good here
> >> Thanks!!
> >> Olivier
> >>
> >> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
> >>> Hi
> >>> I stopped Archiva.
> >>> It's now restarted builds will be deployed.
> >>> I will try to test during the weekend.
> >>> Thanks!
> >>> Olivier
> >>>
> >>> On 28 April 2017 at 15:34, Martin Stockhammer <ma...@apache.org>
> >>>
> >>> wrote:
> >>>> Hi Olivier,
> >>>>
> >>>> I think I have fixed the configuration issue. And modified the header
> >>>> checks. You should be able to add a comma separated list for the
> >>>> rest.baseUrl param.
> >>>> Could you please check with the latest source. The Jenkins builds
> >>>> currently fail, because there seems something wrong with the repository
> >>>> server or the latest snapshot builds that were uploaded. I'm not sure
> >>>> if
> >>>> this is related to your changes on the repository server or another
> >>>> issue.
> >>>>
> >>>> Cheers
> >>>>
> >>>> Martin
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
> >>>
> >>> --
> >>> Olivier Lamy
> >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> >>
> >> --
> >> Olivier Lamy
> >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> >
> > --
> > Olivier Lamy
> > http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Olivier Lamy <ol...@apache.org>.
I have a security.properties file in
${appserver.base}/conf with this but doesn't work.
rest.baseUrl=http://archiva-repository.apache.org,http://localhost:9191,
https://archiva-repository.apache.org
rest.csrffilter.enabled=false
But still getting
2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - HTTP Header check failed. Assuming CSRF attack.
2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - Referer Header does not match: refererUrl=
https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
targetUrl=
http://localhost:9191/restServices/archivaServices/commonServices/getAllI18nResources.
Matches: Host=false, Port=false2017-05-08 10:59:15,091 [qtp1614464539-68]
WARN
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - Referer Header does not match: refererUrl=
https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
targetUrl=http://archiva-repository.apache.org,
archiva-repository.apache.org. Matches: Host=false, Port=false
On 8 May 2017 at 21:09, Olivier Lamy <ol...@apache.org> wrote:
> uhm I talked too fast :-(
> Let me check more seriously
>
> On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
>
>> Hi
>> I missed to say but all good here
>> Thanks!!
>> Olivier
>>
>> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
>>
>>> Hi
>>> I stopped Archiva.
>>> It's now restarted builds will be deployed.
>>> I will try to test during the weekend.
>>> Thanks!
>>> Olivier
>>>
>>> On 28 April 2017 at 15:34, Martin Stockhammer <ma...@apache.org>
>>> wrote:
>>>
>>>> Hi Olivier,
>>>>
>>>> I think I have fixed the configuration issue. And modified the header
>>>> checks. You should be able to add a comma separated list for the
>>>> rest.baseUrl param.
>>>> Could you please check with the latest source. The Jenkins builds
>>>> currently fail, because there seems something wrong with the repository
>>>> server or the latest snapshot builds that were uploaded. I'm not sure if
>>>> this is related to your changes on the repository server or another issue.
>>>>
>>>> Cheers
>>>>
>>>> Martin
>>>>
>>>>
>>>>
>>>> --
>>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>>
>>>
>>>
>>>
>>> --
>>> Olivier Lamy
>>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>>
>>
>>
>>
>> --
>> Olivier Lamy
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>
>
>
>
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
Re: Rest validation url
Posted by Olivier Lamy <ol...@apache.org>.
uhm I talked too fast :-(
Let me check more seriously
On 8 May 2017 at 20:57, Olivier Lamy <ol...@apache.org> wrote:
> Hi
> I missed to say but all good here
> Thanks!!
> Olivier
>
> On 28 April 2017 at 22:26, Olivier Lamy <ol...@apache.org> wrote:
>
>> Hi
>> I stopped Archiva.
>> It's now restarted builds will be deployed.
>> I will try to test during the weekend.
>> Thanks!
>> Olivier
>>
>> On 28 April 2017 at 15:34, Martin Stockhammer <ma...@apache.org>
>> wrote:
>>
>>> Hi Olivier,
>>>
>>> I think I have fixed the configuration issue. And modified the header
>>> checks. You should be able to add a comma separated list for the
>>> rest.baseUrl param.
>>> Could you please check with the latest source. The Jenkins builds
>>> currently fail, because there seems something wrong with the repository
>>> server or the latest snapshot builds that were uploaded. I'm not sure if
>>> this is related to your changes on the repository server or another issue.
>>>
>>> Cheers
>>>
>>> Martin
>>>
>>>
>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>
>>
>>
>>
>> --
>> Olivier Lamy
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>
>
>
>
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy