[jira] Commented: (MRM-911) Archiva checks user's credentials before guest's rights on the repository

Thu, 14 Aug 2008 08:27:28 -0700 

    [ 
http://jira.codehaus.org/browse/MRM-911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145051#action_145051
 ] 

Arnaud Heritier commented on MRM-911:
-------------------------------------

A workaround is to say to apache (>2.0) to not forward credentials :
{code:xml}
  <Location /archiva/repository/>
    RequestHeader unset authorization
  </Location>
{code}

> Archiva checks user's credentials before guest's rights on the repository
> -------------------------------------------------------------------------
>
>                 Key: MRM-911
>                 URL: http://jira.codehaus.org/browse/MRM-911
>             Project: Archiva
>          Issue Type: Bug
>          Components: Users/Security
>    Affects Versions: 1.1.1
>         Environment: Apache 2.2, Tomcat 5.5.26, Archiva 1.1.1, JDK 1.6
>            Reporter: Arnaud Heritier
>             Fix For: 1.1.2
>
>
> In a corporate environment we installed archiva on tomcat & mysql.
> A reverse proxy (Apache) is used to protect our intranet applications. (I 
> tried to use mod_proxy and mod_jk to connect apache & tomcat and the behavior 
> is  the same.)
> To access to our intranet thought the reverse proxy I have to give my 
> credentials (the RP is using a ldap directory and accessed only in HTTPS).
> When I access to the archiva UI, everything is fine. After giving my 
> credentials, I can logon or logout with accounts created in archiva (admin 
> for example).
> I configured the guest to be a global Repository Manager & Observer on all 
> our repositories (we don't need to readd a security level in archiva. It's 
> already done by apache).
> When I access to a repository (to browse it for example) I receive an 
> authentication dialog box (basic authent) like :
> {{A user name and password are being requested by https://xxx.yyy.com. The 
> site says: "Repository Archiva Managed 3rd-parties Repository"}}
> It shouldn't be because guest can browse and write on repositories.
> What I suppose is that archiva is retreiving my credentials from apache and 
> tries to logon me, which is failing (i don't have this account in archiva). 
> After having fail it proposes to me to reenter new credentials.
> I tried to create a user in archiva as the one I have to logon in apache and 
> it works.
> I think archiva should check guest rights before to try to logon the user.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to