You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@continuum.apache.org by "David Delbecq (JIRA)" <ji...@codehaus.org> on 2008/04/11 11:12:58 UTC
[jira] Commented: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
[ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=130467#action_130467 ]
David Delbecq commented on CONTINUUM-1723:
------------------------------------------
Please note, between point 1 and 2 above, i forgot to mention "click add maven2 project"
> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
> Key: CONTINUUM-1723
> URL: http://jira.codehaus.org/browse/CONTINUUM-1723
> Project: Continuum
> Issue Type: Bug
> Components: Integration - Maven 2, Security, Web interface
> Affects Versions: 1.1
> Environment: linux system, plexus server, (maestro1.5.1 bundle)
> Reporter: David Delbecq
> Priority: Critical
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira