[
https://jira.codehaus.org/browse/MRM-897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Olivier Lamy updated MRM-897:
-----------------------------
Fix Version/s: (was: 2.1.0)
2.1.1
> confusing handling of browser-based webdav access for security
> --------------------------------------------------------------
>
> Key: MRM-897
> URL: https://jira.codehaus.org/browse/MRM-897
> Project: Archiva
> Issue Type: Bug
> Affects Versions: 1.1
> Reporter: Brett Porter
> Priority: Minor
> Labels: TOCHECK
> Fix For: 2.1.1
>
>
> steps to reproduce:
> - access a repository that has read restriction, log in via the HTTP
> challenge response and successfully access it
> - restart server
> - access an artifact URL (do not browse the repository) from the same browser
> session.
> The logs show:
> {code}
> 2008-07-30 15:51:41,083 [btpool0-9] INFO
> org.apache.maven.archiva.security.ArchivaServletAuthenticator -
> Authorization Denied [ip=0:0:0:0:0:0:0:1%0,
> isWriteRequest=false,permission=archiva-read-repository,repo=testing] : no
> matching permissions
> {code}
> This is a result of the first request coming through such that a null result
> is passed to isAuthenticated. The code for that is:
> {code}
> if ( result != null && !result.isAuthenticated() )
> {
> throw new AuthenticationException( "User Credentials Invalid" );
> }
> return true;
> {code}
> As you can see, a null result is treated as being "authenticated", though
> there is really no information as to whether that is the case.
> The request later works, so I don't know if this is a bug or not, or just
> poor logging.
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
