You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@archiva.apache.org by "Brett Porter (JIRA)" <ji...@codehaus.org> on 2014/09/26 09:07:10 UTC

[jira] (MRM-897) confusing handling of browser-based webdav access for security

    [ https://jira.codehaus.org/browse/MRM-897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=353241#comment-353241 ] 

Brett Porter commented on MRM-897:
----------------------------------

Doesn't happen with this method, but still happens in other scenarios where a 401 is first returned, and then the browser sends the credentials after the challenge. Not a big deal, just a bit confusing since that's a normal part of the procedure.

> confusing handling of browser-based webdav access for security
> --------------------------------------------------------------
>
>                 Key: MRM-897
>                 URL: https://jira.codehaus.org/browse/MRM-897
>             Project: Archiva
>          Issue Type: Bug
>    Affects Versions: 1.1
>            Reporter: Brett Porter
>            Assignee: Olivier Lamy
>            Priority: Minor
>              Labels: TOCHECK
>
> steps to reproduce:
> - access a repository that has read restriction, log in via the HTTP challenge response and successfully access it
> - restart server
> - access an artifact URL (do not browse the repository) from the same browser session.
> The logs show:
> {code}
> 2008-07-30 15:51:41,083 [btpool0-9] INFO  org.apache.maven.archiva.security.ArchivaServletAuthenticator  - Authorization Denied [ip=0:0:0:0:0:0:0:1%0,
> isWriteRequest=false,permission=archiva-read-repository,repo=testing] : no matching permissions
> {code}
> This is a result of the first request coming through such that a null result is passed to isAuthenticated. The code for that is:
> {code}
> if ( result != null && !result.isAuthenticated() )
> {
>     throw new AuthenticationException( "User Credentials Invalid" );
> }
> return true;
> {code}
> As you can see, a null result is treated as being "authenticated", though there is really no information as to whether that is the case.
> The request later works, so I don't know if this is a bug or not, or just poor logging.



--
This message was sent by Atlassian JIRA
(v6.1.6#6162)