You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Olivier Lamy (JIRA)" <ji...@codehaus.org> on 2014/03/02 23:56:00 UTC
[jira] (MRM-897) confusing handling of browser-based webdav access
for security
[ https://jira.codehaus.org/browse/MRM-897?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=342294#comment-342294 ]
Olivier Lamy commented on MRM-897:
----------------------------------
should be fixed
> confusing handling of browser-based webdav access for security
> --------------------------------------------------------------
>
> Key: MRM-897
> URL: https://jira.codehaus.org/browse/MRM-897
> Project: Archiva
> Issue Type: Bug
> Affects Versions: 1.1
> Reporter: Brett Porter
> Priority: Minor
> Labels: TOCHECK
> Fix For: 2.0.2
>
>
> steps to reproduce:
> - access a repository that has read restriction, log in via the HTTP challenge response and successfully access it
> - restart server
> - access an artifact URL (do not browse the repository) from the same browser session.
> The logs show:
> {code}
> 2008-07-30 15:51:41,083 [btpool0-9] INFO org.apache.maven.archiva.security.ArchivaServletAuthenticator - Authorization Denied [ip=0:0:0:0:0:0:0:1%0,
> isWriteRequest=false,permission=archiva-read-repository,repo=testing] : no matching permissions
> {code}
> This is a result of the first request coming through such that a null result is passed to isAuthenticated. The code for that is:
> {code}
> if ( result != null && !result.isAuthenticated() )
> {
> throw new AuthenticationException( "User Credentials Invalid" );
> }
> return true;
> {code}
> As you can see, a null result is treated as being "authenticated", though there is really no information as to whether that is the case.
> The request later works, so I don't know if this is a bug or not, or just poor logging.
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)