Hi Olivier,
it seems the security.properties is ignored (at least when the configuration
is read by the interceptor). I thought the files are read in the order as
defined in applicationContext.xml but that seems not to be the case.
So for the first start, could you please put it in archiva.xml:
<redbackRuntimeConfiguration>
...
<configurationProperties>
...
<rest>
<csrffilter>
<enabled>true</enabled>
<disableTokenValidation>false</disableTokenValidation>
<absentorigin>
<deny>true</deny>
</absentorigin>
</csrffilter>
<baseUrl>http://archiva-repository.apache.org</baseUrl>
<baseUrl>http://localhost:9191</baseUrl>
<baseUrl>https://archiva-repository.apache.org</baseUrl>
</rest>
...
</configurationProperties>
...
</redbackRuntimeConfiguration>
And could you please set the log level for the interceptor to trace:
<logger
name="org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor"
level="trace" />
And for the dynamic case (ignored configuration) the retrieval of the target
URL seems not to work as expected. It would be helpful, if you could extract/
log the HTTP headers that are sent with the request.
I'm not sure, if jetty in this version can log HTTP headers. Another
possibility would be tcpdump on the server.
Thanks for your help.
Martin
Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> I have a security.properties file in
> ${appserver.base}/conf with this but doesn't work.
>
> rest.baseUrl=http://archiva-repository.apache.org,http://localhost:9191,
> https://archiva-repository.apache.org
>
> rest.csrffilter.enabled=false
>
>
> But still getting
>
> 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInte
> rceptor [] - HTTP Header check failed. Assuming CSRF attack.
>
> 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInte
> rceptor [] - Referer Header does not match: refererUrl=
> https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> targetUrl=
> http://localhost:9191/restServices/archivaServices/commonServices/getAllI18n
> Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> [qtp1614464539-68] WARN
> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInte
> rceptor [] - Referer Header does not match: refererUrl=
> https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> targetUrl=http://archiva-repository.apache.org,
> archiva-repository.apache.org. Matches: Host=false, Port=false
>
> On 8 May 2017 at 21:09, Olivier Lamy <[email protected]> wrote:
> > uhm I talked too fast :-(
> > Let me check more seriously
> >
> > On 8 May 2017 at 20:57, Olivier Lamy <[email protected]> wrote:
> >> Hi
> >> I missed to say but all good here
> >> Thanks!!
> >> Olivier
> >>
> >> On 28 April 2017 at 22:26, Olivier Lamy <[email protected]> wrote:
> >>> Hi
> >>> I stopped Archiva.
> >>> It's now restarted builds will be deployed.
> >>> I will try to test during the weekend.
> >>> Thanks!
> >>> Olivier
> >>>
> >>> On 28 April 2017 at 15:34, Martin Stockhammer <[email protected]>
> >>>
> >>> wrote:
> >>>> Hi Olivier,
> >>>>
> >>>> I think I have fixed the configuration issue. And modified the header
> >>>> checks. You should be able to add a comma separated list for the
> >>>> rest.baseUrl param.
> >>>> Could you please check with the latest source. The Jenkins builds
> >>>> currently fail, because there seems something wrong with the repository
> >>>> server or the latest snapshot builds that were uploaded. I'm not sure
> >>>> if
> >>>> this is related to your changes on the repository server or another
> >>>> issue.
> >>>>
> >>>> Cheers
> >>>>
> >>>> Martin
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
> >>>
> >>> --
> >>> Olivier Lamy
> >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> >>
> >> --
> >> Olivier Lamy
> >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> >
> > --
> > Olivier Lamy
> > http://twitter.com/olamy | http://linkedin.com/in/olamy
