Hi Martin Works fine now with archiva.xml (little issue when not logged I pushed a fix in master and will deploy on https://archiva-repository.apache.org/archiva tomorrow)
Yes I agree all this configuration model must be cleaned (some legacy....) On 9 May 2017 at 05:31, Martin <[email protected]> wrote: > After reconsidering the configuration process I think security.properties > cannot really work (as I think it should have worked). > When the redback runtime configuration properties are changed (e.g. via the > WebUI) . The whole property set (inclusive defaults) is written to > archiva.xml. And these values always overwrite the values of > security.properties. > So security.properties is included because of historic reasons, to allow > better migration of existing configurations. But after the properties are > written to archiva.xml, the values in security.properties are not relevant > anymore. > > Greetings > > Martin > > > Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin: > > Hi Olivier, > > > > it seems the security.properties is ignored (at least when the > configuration > > is read by the interceptor). I thought the files are read in the order as > > defined in applicationContext.xml but that seems not to be the case. > > > > So for the first start, could you please put it in archiva.xml: > > <redbackRuntimeConfiguration> > > ... > > <configurationProperties> > > ... > > <rest> > > <csrffilter> > > <enabled>true</enabled> > > <disableTokenValidation>false</disableTokenValidation> > > <absentorigin> > > <deny>true</deny> > > </absentorigin> > > </csrffilter> > > <baseUrl>http://archiva-repository.apache.org</baseUrl> > > <baseUrl>http://localhost:9191</baseUrl> > > <baseUrl>https://archiva-repository.apache.org</baseUrl> > > </rest> > > ... > > </configurationProperties> > > ... > > </redbackRuntimeConfiguration> > > > > And could you please set the log level for the interceptor to trace: > > > > <logger > > name="org.apache.archiva.redback.rest.services. > interceptors.RequestValidatio > > nInterceptor" level="trace" /> > > > > > > And for the dynamic case (ignored configuration) the retrieval of the > target > > URL seems not to work as expected. It would be helpful, if you could > > extract/ log the HTTP headers that are sent with the request. > > I'm not sure, if jetty in this version can log HTTP headers. Another > > possibility would be tcpdump on the server. > > > > Thanks for your help. > > > > > > Martin > > > > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy: > > > I have a security.properties file in > > > ${appserver.base}/conf with this but doesn't work. > > > > > > rest.baseUrl=http://archiva-repository.apache.org,http:// > localhost:9191, > > > https://archiva-repository.apache.org > > > > > > rest.csrffilter.enabled=false > > > > > > > > > But still getting > > > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN > > > > > > org.apache.archiva.redback.rest.services.interceptors. > RequestValidationIn > > > te > > > > > > rceptor [] - HTTP Header check failed. Assuming CSRF attack. > > > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN > > > > > > org.apache.archiva.redback.rest.services.interceptors. > RequestValidationIn > > > te > > > > > > rceptor [] - Referer Header does not match: refererUrl= > > > https://archiva-repository.apache.org/archiva/index.html? > request_lang=en, > > > targetUrl= > > > http://localhost:9191/restServices/archivaServices/ > commonServices/getAllI1 > > > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091 > > > [qtp1614464539-68] WARN > > > > > > org.apache.archiva.redback.rest.services.interceptors. > RequestValidationIn > > > te > > > > > > rceptor [] - Referer Header does not match: refererUrl= > > > https://archiva-repository.apache.org/archiva/index.html? > request_lang=en, > > > targetUrl=http://archiva-repository.apache.org, > > > archiva-repository.apache.org. Matches: Host=false, Port=false > > > > > > On 8 May 2017 at 21:09, Olivier Lamy <[email protected]> wrote: > > > > uhm I talked too fast :-( > > > > Let me check more seriously > > > > > > > > On 8 May 2017 at 20:57, Olivier Lamy <[email protected]> wrote: > > > >> Hi > > > >> I missed to say but all good here > > > >> Thanks!! > > > >> Olivier > > > >> > > > >> On 28 April 2017 at 22:26, Olivier Lamy <[email protected]> wrote: > > > >>> Hi > > > >>> I stopped Archiva. > > > >>> It's now restarted builds will be deployed. > > > >>> I will try to test during the weekend. > > > >>> Thanks! > > > >>> Olivier > > > >>> > > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <[email protected] > > > > > >>> > > > >>> wrote: > > > >>>> Hi Olivier, > > > >>>> > > > >>>> I think I have fixed the configuration issue. And modified the > header > > > >>>> checks. You should be able to add a comma separated list for the > > > >>>> rest.baseUrl param. > > > >>>> Could you please check with the latest source. The Jenkins builds > > > >>>> currently fail, because there seems something wrong with the > > > >>>> repository > > > >>>> server or the latest snapshot builds that were uploaded. I'm not > sure > > > >>>> if > > > >>>> this is related to your changes on the repository server or > another > > > >>>> issue. > > > >>>> > > > >>>> Cheers > > > >>>> > > > >>>> Martin > > > >>>> > > > >>>> > > > >>>> > > > >>>> -- > > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail > gesendet. > > > >>> > > > >>> -- > > > >>> Olivier Lamy > > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy > > > >> > > > >> -- > > > >> Olivier Lamy > > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy > > > > > > > > -- > > > > Olivier Lamy > > > > http://twitter.com/olamy | http://linkedin.com/in/olamy > > > -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy
