[jira] [Commented] (MRM-1912) Guest password should never be reset

Fri, 12 Oct 2018 21:02:12 -0700 


    [ 
https://issues.apache.org/jira/browse/MRM-1912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16648732#comment-16648732
 ] 

Terence Kent commented on MRM-1912:
-----------------------------------

I took a look into this issue because I thought fixing it would be relevant for 
the docker image we maintain. It doesn't appear to impact version 2.2.3. Here's 
why I say that.

 

I created a new Archiva environment, backed by a mysql db, and set the guest 
account to have an LAST_PASSWORD_CHANGE date and ACCOUNT_CREATION_DATE of 1 
year back
{code:java}
update JDOUSER set LAST_PASSWORD_CHANGE=DATE_SUB(NOW(), INTERVAL 1 
YEAR),ACCOUNT_CREATION_DATE=DATE_SUB(NOW(), INTERVAL 1 YEAR) where USERNAME = 
"guest";
{code}
Then I restarted the JVM, to be sure no in-memory caching would be involved, 
and used a private window in chrome to act as a guest. It appeared to work 
without an issue.

 

However, perhaps I'm missing something.

 

> Guest password should never be reset 
> -------------------------------------
>
>                 Key: MRM-1912
>                 URL: https://issues.apache.org/jira/browse/MRM-1912
>             Project: Archiva
>          Issue Type: Bug
>          Components: redback, Users/Security, Web Interface
>    Affects Versions: 2.2.0
>         Environment: AWS, EC2, ECS, Docker, Ubuntu
>            Reporter: Benjamin Heasly
>            Priority: Major
>              Labels: guest, password, security, ui
>
> This is an experience report from a user.
> I stood up a new Archiva instance about 90 days ago.  As per default security 
> configuration, user passwords began to expire recently.
> It seems that even the guest account has expired .  As a result, guest access 
> is now 403 Forbidden.
> Since the guest account is for anonymous access, and has no password, this 
> account probably should be exempt from password expiration.  Is this a bug?
> I can reset the guest password successfully, restoring access for this 
> account.  However, I cannot reset to the empty password using the web 
> interface.  The edit user form complains of the password field, "This field 
> is required."  Is this also a bug?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to