You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@continuum.apache.org by "David Delbecq (JIRA)" <ji...@codehaus.org> on 2008/04/11 11:10:58 UTC
[jira] Created: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
wrong password use and chaching during add maven2 project
---------------------------------------------------------
Key: CONTINUUM-1723
URL: http://jira.codehaus.org/browse/CONTINUUM-1723
Project: Continuum
Issue Type: Bug
Components: Integration - Maven 2, Security, Web interface
Affects Versions: 1.1
Environment: linux system, plexus server, (maestro1.5.1 bundle)
Reporter: David Delbecq
Priority: Critical
When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
Steps to reproduce
# go to continuum server
# Type url of a pom.xml that requires server "basic" authentification
# Type in any user/pass for that url that is incorrect (eg: foo:bar)
# Click add
# Pages show up form again telling "there was a problem getting the pom.xml"
# Type in correct user/password
# Click add
# Pages show up again telling same problem
# logout, login, try again with correct user/password
# Still impossible
# Logout , close your browser, clean your cookies and everything
# Login, try again with correct user/password
# Still impossible
# shutdown continuum server and it's JVM, restart it
# Login, try again with correct user/password
# *Success!*
# Try to add a second project, with another url on *same* http server, with incorrect user/pass
# *Success!*
As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
Behind the scene:
sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135678#action_135678 ]
Maria Catherine Tan commented on CONTINUUM-1723:
------------------------------------------------
I followed your steps but I couldn't reproduce it using continuum 1.1 and trunk.
> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
> Key: CONTINUUM-1723
> URL: http://jira.codehaus.org/browse/CONTINUUM-1723
> Project: Continuum
> Issue Type: Bug
> Components: Integration - Maven 2, Security, Web interface
> Affects Versions: 1.1
> Environment: linux system, plexus server, (maestro1.5.1 bundle)
> Reporter: David Delbecq
> Priority: Critical
> Fix For: 1.2
>
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135679#action_135679 ]
Maria Catherine Tan commented on CONTINUUM-1723:
------------------------------------------------
I was able to add maven 2 project by typing a correct username/password after entering an incorrect one (with or without using scm credentials cache)
> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
> Key: CONTINUUM-1723
> URL: http://jira.codehaus.org/browse/CONTINUUM-1723
> Project: Continuum
> Issue Type: Bug
> Components: Integration - Maven 2, Security, Web interface
> Affects Versions: 1.1
> Environment: linux system, plexus server, (maestro1.5.1 bundle)
> Reporter: David Delbecq
> Priority: Critical
> Fix For: 1.2
>
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
Posted by "Olivier Lamy (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olivier Lamy updated CONTINUUM-1723:
------------------------------------
Fix Version/s: 1.2
> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
> Key: CONTINUUM-1723
> URL: http://jira.codehaus.org/browse/CONTINUUM-1723
> Project: Continuum
> Issue Type: Bug
> Components: Integration - Maven 2, Security, Web interface
> Affects Versions: 1.1
> Environment: linux system, plexus server, (maestro1.5.1 bundle)
> Reporter: David Delbecq
> Priority: Critical
> Fix For: 1.2
>
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
Posted by "David Delbecq (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=130467#action_130467 ]
David Delbecq commented on CONTINUUM-1723:
------------------------------------------
Please note, between point 1 and 2 above, i forgot to mention "click add maven2 project"
> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
> Key: CONTINUUM-1723
> URL: http://jira.codehaus.org/browse/CONTINUUM-1723
> Project: Continuum
> Issue Type: Bug
> Components: Integration - Maven 2, Security, Web interface
> Affects Versions: 1.1
> Environment: linux system, plexus server, (maestro1.5.1 bundle)
> Reporter: David Delbecq
> Priority: Critical
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (CONTINUUM-1723) wrong password use and chaching
during add maven2 project
Posted by "Olivier Lamy (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olivier Lamy closed CONTINUUM-1723.
-----------------------------------
Assignee: Olivier Lamy
Resolution: Cannot Reproduce
Fix Version/s: (was: 1.2)
I have done exactly the same steps.
But for me at step 8, it works.
If you have again the issue please reopen it.
> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
> Key: CONTINUUM-1723
> URL: http://jira.codehaus.org/browse/CONTINUUM-1723
> Project: Continuum
> Issue Type: Bug
> Components: Integration - Maven 2, Security, Web interface
> Affects Versions: 1.1
> Environment: linux system, plexus server, (maestro1.5.1 bundle)
> Reporter: David Delbecq
> Assignee: Olivier Lamy
> Priority: Critical
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira