Hi just deployed a fresh build to our new instance and all good!!! Feel free to release. I will work in parallel to upgrade Jetty (but can be in next release) Thanks for your hard work!!!
On 11 May 2017 at 07:47, Martin <[email protected]> wrote: > Great to hear! > I added a fix for the dynamic case with the reverse proxy (the header can > contain host lists as I have learned now). > > Additionally I added an improvement for the repository checks (see > MRM-1933). > > If your deployment works well, I would like to restart the release process > with the current master branch (archiva 2.2.3, redback 2.6). > > Greetings > > Martin > > > > Am Mittwoch, 10. Mai 2017, 21:37:20 CEST schrieb Olivier Lamy: > > Hi Martin > > Works fine now with archiva.xml (little issue when not logged I pushed a > > fix in master and will deploy on > > https://archiva-repository.apache.org/archiva tomorrow) > > > > Yes I agree all this configuration model must be cleaned (some > legacy....) > > > > On 9 May 2017 at 05:31, Martin <[email protected]> wrote: > > > After reconsidering the configuration process I think > security.properties > > > cannot really work (as I think it should have worked). > > > When the redback runtime configuration properties are changed (e.g. via > > > the > > > WebUI) . The whole property set (inclusive defaults) is written to > > > archiva.xml. And these values always overwrite the values of > > > security.properties. > > > So security.properties is included because of historic reasons, to > allow > > > better migration of existing configurations. But after the properties > are > > > written to archiva.xml, the values in security.properties are not > relevant > > > anymore. > > > > > > Greetings > > > > > > Martin > > > > > > Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin: > > > > Hi Olivier, > > > > > > > > it seems the security.properties is ignored (at least when the > > > > > > configuration > > > > > > > is read by the interceptor). I thought the files are read in the > order > > > > as > > > > defined in applicationContext.xml but that seems not to be the case. > > > > > > > > So for the first start, could you please put it in archiva.xml: > > > > <redbackRuntimeConfiguration> > > > > > > > > ... > > > > > > > > <configurationProperties> > > > > > > > > ... > > > > > > > > <rest> > > > > > > > > <csrffilter> > > > > > > > > <enabled>true</enabled> > > > > <disableTokenValidation>false</disableTokenValidation> > > > > <absentorigin> > > > > > > > > <deny>true</deny> > > > > > > > > </absentorigin> > > > > > > > > </csrffilter> > > > > <baseUrl>http://archiva-repository.apache.org</baseUrl> > > > > <baseUrl>http://localhost:9191</baseUrl> > > > > <baseUrl>https://archiva-repository.apache.org</baseUrl> > > > > > > > > </rest> > > > > > > > > ... > > > > > > > > </configurationProperties> > > > > > > > > ... > > > > </redbackRuntimeConfiguration> > > > > > > > > And could you please set the log level for the interceptor to trace: > > > > > > > > <logger > > > > name="org.apache.archiva.redback.rest.services. > > > > > > interceptors.RequestValidatio > > > > > > > nInterceptor" level="trace" /> > > > > > > > > > > > > And for the dynamic case (ignored configuration) the retrieval of the > > > > > > target > > > > > > > URL seems not to work as expected. It would be helpful, if you could > > > > extract/ log the HTTP headers that are sent with the request. > > > > I'm not sure, if jetty in this version can log HTTP headers. Another > > > > possibility would be tcpdump on the server. > > > > > > > > Thanks for your help. > > > > > > > > > > > > Martin > > > > > > > > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy: > > > > > I have a security.properties file in > > > > > ${appserver.base}/conf with this but doesn't work. > > > > > > > > > > rest.baseUrl=http://archiva-repository.apache.org,http:// > > > > > > localhost:9191, > > > > > > > > https://archiva-repository.apache.org > > > > > > > > > > rest.csrffilter.enabled=false > > > > > > > > > > > > > > > But still getting > > > > > > > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN > > > > > > > > > > org.apache.archiva.redback.rest.services.interceptors. > > > > > > RequestValidationIn > > > > > > > > te > > > > > > > > > > rceptor [] - HTTP Header check failed. Assuming CSRF attack. > > > > > > > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN > > > > > > > > > > org.apache.archiva.redback.rest.services.interceptors. > > > > > > RequestValidationIn > > > > > > > > te > > > > > > > > > > rceptor [] - Referer Header does not match: refererUrl= > > > > > https://archiva-repository.apache.org/archiva/index.html? > > > > > > request_lang=en, > > > > > > > > targetUrl= > > > > > http://localhost:9191/restServices/archivaServices/ > > > > > > commonServices/getAllI1 > > > > > > > > 8n Resources. Matches: Host=false, Port=false2017-05-08 > 10:59:15,091 > > > > > [qtp1614464539-68] WARN > > > > > > > > > > org.apache.archiva.redback.rest.services.interceptors. > > > > > > RequestValidationIn > > > > > > > > te > > > > > > > > > > rceptor [] - Referer Header does not match: refererUrl= > > > > > https://archiva-repository.apache.org/archiva/index.html? > > > > > > request_lang=en, > > > > > > > > targetUrl=http://archiva-repository.apache.org, > > > > > archiva-repository.apache.org. Matches: Host=false, Port=false > > > > > > > > > > On 8 May 2017 at 21:09, Olivier Lamy <[email protected]> wrote: > > > > > > uhm I talked too fast :-( > > > > > > Let me check more seriously > > > > > > > > > > > > On 8 May 2017 at 20:57, Olivier Lamy <[email protected]> wrote: > > > > > >> Hi > > > > > >> I missed to say but all good here > > > > > >> Thanks!! > > > > > >> Olivier > > > > > >> > > > > > >> On 28 April 2017 at 22:26, Olivier Lamy <[email protected]> > wrote: > > > > > >>> Hi > > > > > >>> I stopped Archiva. > > > > > >>> It's now restarted builds will be deployed. > > > > > >>> I will try to test during the weekend. > > > > > >>> Thanks! > > > > > >>> Olivier > > > > > >>> > > > > > >>> On 28 April 2017 at 15:34, Martin Stockhammer < > [email protected] > > > > > >>> > > > > > >>> wrote: > > > > > >>>> Hi Olivier, > > > > > >>>> > > > > > >>>> I think I have fixed the configuration issue. And modified the > > > > > > header > > > > > > > > >>>> checks. You should be able to add a comma separated list for > the > > > > > >>>> rest.baseUrl param. > > > > > >>>> Could you please check with the latest source. The Jenkins > builds > > > > > >>>> currently fail, because there seems something wrong with the > > > > > >>>> repository > > > > > >>>> server or the latest snapshot builds that were uploaded. I'm > not > > > > > > sure > > > > > > > > >>>> if > > > > > >>>> this is related to your changes on the repository server or > > > > > > another > > > > > > > > >>>> issue. > > > > > >>>> > > > > > >>>> Cheers > > > > > >>>> > > > > > >>>> Martin > > > > > >>>> > > > > > >>>> > > > > > >>>> > > > > > >>>> -- > > > > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail > > > > > > gesendet. > > > > > > > > >>> -- > > > > > >>> Olivier Lamy > > > > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy > > > > > >> > > > > > >> -- > > > > > >> Olivier Lamy > > > > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy > > > > > > > > > > > > -- > > > > > > Olivier Lamy > > > > > > http://twitter.com/olamy | http://linkedin.com/in/olamy > > > -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy
