[
http://jira.codehaus.org/browse/MRM-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158384#action_158384
]
Wendy Smoak commented on MRM-1047:
----------------------------------
To reproduce:
Install Archiva 1.1.3
Add testuser and give it the manager role for the snapshots repo
At this point the 'Force User to Change Password' box is checked.
Attempt to log in as testuser with a browser, confirm that you are
redirected to the change password screen.
Click logout - do not change the password.
Configure settings.xml and pom.xml to deploy to Archiva as testuser
settings.xml:
<server>
<username>testuser</username>
<password>abc1234</password>
<id>snapshots</id>
</server>
pom.xml:
<distributionManagement>
<repository>
<id>snapshots</id>
<url>dav:http://localhost:8080/archiva/repository/snapshots</url>
</repository>
</distributionManagement
Try "mvn deploy" -- it should fail, but it doesn't.
Edit the user and un-check the 'Force User to change password' checkbox.
Confirm that you can log in normally as testuser.
Try "mvn deploy" again - now it works.
Simulate an expired password:
Stop Archiva
Add conf/security.properties with:
security.policy.password.expiration.enabled=true
security.policy.password.expiration.days=90
> set DERBY_INSTALL=/path/to/db-derby-10.1.3.1-bin
> set PATH=%PATH%;%DERBY_INSTALL%/frameworks/embedded/bin
> ij
ij> connect
'jdbc:derby:/path/to/apache-archiva-1.1.3/data/databases/users;user=sa'
ij> update JDOUSER set LAST_PASSWORD_CHANGE = '2008-06-01 12:00:00'
where USERNAME = 'testuser';
Start Archiva
Edit the user and confirm that the Last Password Change is ~200 days ago.
Attempt to log in as testuser with a browser, confirm that you are
redirected to the change password screen.
Click logout - do not change the password.
Try "mvn deploy" - it should fail, but it doesn't.
> Archiva allows deployment by user with expired password
> -------------------------------------------------------
>
> Key: MRM-1047
> URL: http://jira.codehaus.org/browse/MRM-1047
> Project: Archiva
> Issue Type: Bug
> Components: Users/Security
> Affects Versions: 1.1.3
> Reporter: Wendy Smoak
> Priority: Minor
>
> If a user has the repo manager role, he can still deploy artifacts even if
> his password is expired and/or flagged as must be changed.
> An expired password is no longer valid, and Archiva should prevent access to
> the repository until it is changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
