Archiva

Archiva checks user's credentials before guest's rights on the repository

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.1.1
  • Fix Version/s: 1.1.2
  • Component/s: Users/Security
  • Labels:
    None
  • Environment:
    Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
  • Number of attachments :
    0

Description

In a corporate environment we installed archiva on tomcat & mysql.
A reverse proxy (Apache) is used to protect our intranet applications. (I tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior is the same.)
To access to our intranet thought the reverse proxy I have to give my credentials (the RP is using a ldap directory and accessed only in HTTPS).
When I access to the archiva UI, everything is fine. After giving my credentials, I can logon or logout with accounts created in archiva (admin for example).
I configured the guest to be a global Repository Manager & Observer on all our repositories (we don't need to readd a security level in archiva. It's already done by apache).
When I access to a repository (to browse it for example) I receive an authentication dialog box (basic authent) like :
{{A user name and password are being requested by https://xxx.yyy.com. The site says: "Repository Archiva Managed 3rd-parties Repository"}}
It shouldn't be because guest can browse and write on repositories.

What I suppose is that archiva is retreiving my credentials from apache and tries to logon me, which is failing (i don't have this account in archiva). After having fail it proposes to me to reenter new credentials.
I tried to create a user in archiva as the one I have to logon in apache and it works.
I think archiva should check guest rights before to try to logon the user.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Arnaud Heritier added a comment -

A workaround is to say to apache (>2.0) to not forward credentials :

<Location /archiva/repository/>
    RequestHeader unset authorization
  </Location>
Show
Arnaud Heritier added a comment - A workaround is to say to apache (>2.0) to not forward credentials : 
<Location /archiva/repository/>
    RequestHeader unset authorization
  </Location>
Hide
Permalink
Maria Odea Ching added a comment -

I'm now able to replicate this problem, it has the same behaviour too even with just basic authentication configured for the RP. I think you're right about archiva retrieving the credentials from apache first and then fails..

Show
Maria Odea Ching added a comment - I'm now able to replicate this problem, it has the same behaviour too even with just basic authentication configured for the RP. I think you're right about archiva retrieving the credentials from apache first and then fails..
Hide
Permalink
Maria Odea Ching added a comment -

Fixed in trunk -r693694:

  • check first if guest is enabled for the repository before failing the authentication

For repositories which require authentication though, Archiva is still getting the RP credentials instead of the Archiva credentials you entered. I'll file this one as a separate issue..

Show
Maria Odea Ching added a comment - Fixed in trunk -r693694:
  • check first if guest is enabled for the repository before failing the authentication
For repositories which require authentication though, Archiva is still getting the RP credentials instead of the Archiva credentials you entered. I'll file this one as a separate issue..

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.