You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Arnaud Heritier (JIRA)" <ji...@codehaus.org> on 2008/08/14 09:09:26 UTC
[jira] Created: (MRM-911) Archiva checks user's credentials before
guest's rights on the repository
Archiva checks user's credentials before guest's rights on the repository
-------------------------------------------------------------------------
Key: MRM-911
URL: http://jira.codehaus.org/browse/MRM-911
Project: Archiva
Issue Type: Bug
Components: Users/Security
Affects Versions: 1.1.1
Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
Reporter: Arnaud Heritier
In a corporate environment we installed archiva on tomcat & mysql.
A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
{{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
It shouldn't be because guest can browse and write on repositories.
What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
I tried to create a user in archiva as the one I have to logon in apache and it works.
I think archiva should check guest rights before to try to logon the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-911) Archiva checks user's credentials
before guest's rights on the repository
Posted by "Arnaud Heritier (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145051#action_145051 ]
Arnaud Heritier commented on MRM-911:
-------------------------------------
A workaround is to say to apache (>2.0) to not forward credentials :
{code:xml}
<Location /archiva/repository/>
RequestHeader unset authorization
</Location>
{code}
> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
> Key: MRM-911
> URL: http://jira.codehaus.org/browse/MRM-911
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.1
> Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
> Reporter: Arnaud Heritier
> Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
> To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
> I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
> When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and it works.
> I think archiva should check guest rights before to try to logon the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MRM-911) Archiva checks user's credentials
before guest's rights on the repository
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=147387#action_147387 ]
Maria Odea Ching commented on MRM-911:
--------------------------------------
I'm now able to replicate this problem, it has the same behaviour too even with just basic authentication configured for the RP. I think you're right about archiva retrieving the credentials from apache first and then fails..
> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
> Key: MRM-911
> URL: http://jira.codehaus.org/browse/MRM-911
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.1
> Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
> Reporter: Arnaud Heritier
> Assignee: Maria Odea Ching
> Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
> To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
> I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
> When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and it works.
> I think archiva should check guest rights before to try to logon the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (MRM-911) Archiva checks user's credentials before
guest's rights on the repository
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching reassigned MRM-911:
------------------------------------
Assignee: Maria Odea Ching
> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
> Key: MRM-911
> URL: http://jira.codehaus.org/browse/MRM-911
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.1
> Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
> Reporter: Arnaud Heritier
> Assignee: Maria Odea Ching
> Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
> To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
> I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
> When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and it works.
> I think archiva should check guest rights before to try to logon the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MRM-911) Archiva checks user's credentials before
guest's rights on the repository
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated MRM-911:
-----------------------------
Fix Version/s: 1.1.2
> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
> Key: MRM-911
> URL: http://jira.codehaus.org/browse/MRM-911
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.1
> Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
> Reporter: Arnaud Heritier
> Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
> To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
> I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
> When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and it works.
> I think archiva should check guest rights before to try to logon the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (MRM-911) Archiva checks user's credentials before
guest's rights on the repository
Posted by "Maria Odea Ching (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Odea Ching closed MRM-911.
--------------------------------
Resolution: Fixed
Fixed in trunk -r693694:
- check first if guest is enabled for the repository before failing the authentication
For repositories which require authentication though, Archiva is still getting the RP credentials instead of the Archiva credentials you entered. I'll file this one as a separate issue..
> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
> Key: MRM-911
> URL: http://jira.codehaus.org/browse/MRM-911
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.1
> Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
> Reporter: Arnaud Heritier
> Assignee: Maria Odea Ching
> Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
> To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
> I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
> When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and it works.
> I think archiva should check guest rights before to try to logon the user.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira