wrong password use and chaching during add maven2 project
---------------------------------------------------------
Key: CONTINUUM-1723
URL: http://jira.codehaus.org/browse/CONTINUUM-1723
Project: Continuum
Issue Type: Bug
Components: Integration - Maven 2, Security, Web interface
Affects Versions: 1.1
Environment: linux system, plexus server, (maestro1.5.1 bundle)
Reporter: David Delbecq
Priority: Critical
When adding a maven2 project, if the provided pom.xml url (first field of form)
requires user / pass authentification and you type in the wrong password or
wrong username, continuum caches it and will always use it for the rest of his
life. As a result it's impossible to get the pom.xml, even if you type correct
password in field.
Steps to reproduce
# go to continuum server
# Type url of a pom.xml that requires server "basic" authentification
# Type in any user/pass for that url that is incorrect (eg: foo:bar)
# Click add
# Pages show up form again telling "there was a problem getting the pom.xml"
# Type in correct user/password
# Click add
# Pages show up again telling same problem
# logout, login, try again with correct user/password
# Still impossible
# Logout , close your browser, clean your cookies and everything
# Login, try again with correct user/password
# Still impossible
# shutdown continuum server and it's JVM, restart it
# Login, try again with correct user/password
# *Success!*
# Try to add a second project, with another url on *same* http server, with
incorrect user/pass
# *Success!*
As a conclusion, continuum caches somewhere the first user / pass, even if
incorrect, and will reuse it everytime you access this server. This is a
problem in an environment where multiple teams share a common continuum server,
a common svn server (with different access rights at different project nodes)
and have rights to add projects. The first team member to add a project will
have have his user/password right forced to every other users trying to add
project.
The only solution i found so far is, after adding a project, to shutdown the
jvm hosting continuum and restart it.
Behind the scene:
sniffing of protocol show clearly that continuum, when "getting" the pom
mentionned in add project, always uses the same basic authentification,
whatever the user type in in user/pass boxes. It's always the first attempt
that get used
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
