Uploaded image for project: 'Archiva'
  1. Archiva
  2. MRM-897

confusing handling of browser-based webdav access for security

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Cannot Reproduce
    • 1.1
    • None
    • None

    Description

      steps to reproduce:

      • access a repository that has read restriction, log in via the HTTP challenge response and successfully access it
      • restart server
      • access an artifact URL (do not browse the repository) from the same browser session.

      The logs show:

      2008-07-30 15:51:41,083 [btpool0-9] INFO  org.apache.maven.archiva.security.ArchivaServletAuthenticator  - Authorization Denied [ip=0:0:0:0:0:0:0:1%0,
      isWriteRequest=false,permission=archiva-read-repository,repo=testing] : no matching permissions
      

      This is a result of the first request coming through such that a null result is passed to isAuthenticated. The code for that is:

      if ( result != null && !result.isAuthenticated() )
      {
          throw new AuthenticationException( "User Credentials Invalid" );
      }
      
      return true;
      

      As you can see, a null result is treated as being "authenticated", though there is really no information as to whether that is the case.

      The request later works, so I don't know if this is a bug or not, or just poor logging.

      Attachments

        Issue Links

          Activity

            People

              olamy Olivier Lamy
              brettporter Brett Porter
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: