You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Brett Porter (JIRA)" <ji...@codehaus.org> on 2014/09/26 09:07:10 UTC
[jira] (MRM-897) confusing handling of browser-based webdav access
for security
[ https://jira.codehaus.org/browse/MRM-897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=353241#comment-353241 ]
Brett Porter commented on MRM-897:
----------------------------------
Doesn't happen with this method, but still happens in other scenarios where a 401 is first returned, and then the browser sends the credentials after the challenge. Not a big deal, just a bit confusing since that's a normal part of the procedure.
> confusing handling of browser-based webdav access for security
> --------------------------------------------------------------
>
> Key: MRM-897
> URL: https://jira.codehaus.org/browse/MRM-897
> Project: Archiva
> Issue Type: Bug
> Affects Versions: 1.1
> Reporter: Brett Porter
> Assignee: Olivier Lamy
> Priority: Minor
> Labels: TOCHECK
>
> steps to reproduce:
> - access a repository that has read restriction, log in via the HTTP challenge response and successfully access it
> - restart server
> - access an artifact URL (do not browse the repository) from the same browser session.
> The logs show:
> {code}
> 2008-07-30 15:51:41,083 [btpool0-9] INFO org.apache.maven.archiva.security.ArchivaServletAuthenticator - Authorization Denied [ip=0:0:0:0:0:0:0:1%0,
> isWriteRequest=false,permission=archiva-read-repository,repo=testing] : no matching permissions
> {code}
> This is a result of the first request coming through such that a null result is passed to isAuthenticated. The code for that is:
> {code}
> if ( result != null && !result.isAuthenticated() )
> {
> throw new AuthenticationException( "User Credentials Invalid" );
> }
> return true;
> {code}
> As you can see, a null result is treated as being "authenticated", though there is really no information as to whether that is the case.
> The request later works, so I don't know if this is a bug or not, or just poor logging.
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)