You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Wendy Smoak (JIRA)" <ji...@codehaus.org> on 2008/12/18 00:48:19 UTC
[jira] Created: (MRM-1047) Archiva allows deployment by user with
expired password
Archiva allows deployment by user with expired password
-------------------------------------------------------
Key: MRM-1047
URL: http://jira.codehaus.org/browse/MRM-1047
Project: Archiva
Issue Type: Bug
Components: Users/Security
Affects Versions: 1.1.3
Reporter: Wendy Smoak
Priority: Minor
If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter reassigned MRM-1047:
---------------------------------
Assignee: Brett Porter
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Assignee: Brett Porter
> Priority: Minor
> Fix For: 1.2-M2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=170076#action_170076 ]
Brett Porter commented on MRM-1047:
-----------------------------------
should also check for force password change in the above locations
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Assignee: Brett Porter
> Priority: Minor
> Fix For: 1.2-M2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=168688#action_168688 ]
Brett Porter commented on MRM-1047:
-----------------------------------
locations where the password expiry is not checked (by searching for isLocked):
DefaultUserRepositories:85 (getObservableRepositoryIds), 157 (isAuthorizedToUploadArtifacts)
ArchivaServletAuthenticator:112 (isAuthorized)
will still need to test that the expiration date is also checked before this too, not just the flag.
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Priority: Minor
> Fix For: 1.2-M2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MRM-1047:
------------------------------
Fix Version/s: (was: 1.2)
1.2-M2
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Priority: Minor
> Fix For: 1.2-M2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter closed MRM-1047.
-----------------------------
Resolution: Fixed
already taken care of by redback changes to throw exception if password must be changed on authz. The other instances in my comment do not need to do the secondary check as you must already be logged in to the interface for them to succeed
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Assignee: Brett Porter
> Priority: Minor
> Fix For: 1.2-M2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MRM-1047:
------------------------------
Fix Version/s: 1.2
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Priority: Minor
> Fix For: 1.2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Wendy Smoak (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158384#action_158384 ]
Wendy Smoak commented on MRM-1047:
----------------------------------
To reproduce:
Install Archiva 1.1.3
Add testuser and give it the manager role for the snapshots repo
At this point the 'Force User to Change Password' box is checked.
Attempt to log in as testuser with a browser, confirm that you are
redirected to the change password screen.
Click logout - do not change the password.
Configure settings.xml and pom.xml to deploy to Archiva as testuser
settings.xml:
<server>
<username>testuser</username>
<password>abc1234</password>
<id>snapshots</id>
</server>
pom.xml:
<distributionManagement>
<repository>
<id>snapshots</id>
<url>dav:http://localhost:8080/archiva/repository/snapshots</url>
</repository>
</distributionManagement
Try "mvn deploy" -- it should fail, but it doesn't.
Edit the user and un-check the 'Force User to change password' checkbox.
Confirm that you can log in normally as testuser.
Try "mvn deploy" again - now it works.
Simulate an expired password:
Stop Archiva
Add conf/security.properties with:
security.policy.password.expiration.enabled=true
security.policy.password.expiration.days=90
> set DERBY_INSTALL=/path/to/db-derby-10.1.3.1-bin
> set PATH=%PATH%;%DERBY_INSTALL%/frameworks/embedded/bin
> ij
ij> connect 'jdbc:derby:/path/to/apache-archiva-1.1.3/data/databases/users;user=sa'
ij> update JDOUSER set LAST_PASSWORD_CHANGE = '2008-06-01 12:00:00'
where USERNAME = 'testuser';
Start Archiva
Edit the user and confirm that the Last Password Change is ~200 days ago.
Attempt to log in as testuser with a browser, confirm that you are
redirected to the change password screen.
Click logout - do not change the password.
Try "mvn deploy" - it should fail, but it doesn't.
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Priority: Minor
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MRM-1047) Archiva allows deployment by user with
expired password
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching updated MRM-1047:
----------------------------------
Fix Version/s: (was: 1.2-M2)
1.2
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Assignee: Brett Porter
> Priority: Minor
> Fix For: 1.2
>
>
> If a user has the repo manager role, he can still deploy artifacts even if his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira