Re: [VOTE] Apache Archiva 2.2.2

[Martin]

Hi,

your logs indicate, that you have set two values for the baseUrl property 
(maybe in different files) or used a comma separated list.

I tried to change the configuration value to a list (i think its indeed 
better, to configure a list of urls instead of only one), by using 
UserConfiguration.getList() but found some strange behaviour:
If I set the configuration entry from the web UI the value vanishes after 
restarting the application.
Its is the same with the configuration property:
  security.policy.unlockable.accounts
which uses getList() too and if I set a value for this property the value will 
be removed by the next restart.
The values are saved in archiva.xml in redbackRuntimeConfiguration/
configurationProperties/... after changing at the WebGUI.
After stopping, archiva.xml is OK and contains the configured value.
During startup of archiva the xml-File is written and the configuration 
entries for rest.BaseUrl and  security.policy.unlockable.accounts are replaced 
by empty tags.
Currently I cannot find the place where this happens. And I find it very 
strange that this behaviour seems to be triggered by the getList() call. Other 
properties that use getBoolean(), getString() are not removed by a restart.

Maybe, it has to do with the type that is used in the registry for these 
values (List instead String) but currently I'm a bit stuck.  

Greetings

Martin



Am Dienstag, 25. April 2017, 21:58:15 CEST schrieb Olivier Lamy:
> I will try some debugging as well on the archiva instance.
> I think yes you will have to cut an other release.
> Perso I don't mind you use a new tag (2.2.3) as you prefer.
> But first find the issue :-)
> 
> On 25 April 2017 at 19:01, Martin Stockhammer  wrote:
> > Yes, you are right. This should be fixed. Currently I don't know why the
> > host name doesn't match, but will try to reproduce. Had no reverse proxy
> > environment to check this thoroughly.
> > But that means I need to create a new version, right?
> > 
> > Cheers
> > 
> > Martin
> > 
> > Am 25. April 2017 09:51:06 MESZ schrieb Olivier Lamy :
> >> Hi
> >> Yes it's behind a reverse proxy
> >> logs says
> >> 
> >> 2017-04-25 07:39:21,524 [qtp1564314458-63] WARN
> >> org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >> terceptor [] - Referer Header Host does not match
> >> refererUrl=https://archiva-> >> 
> >> repository.apache.org/archiva/index.html?request_lang=en, targetUrl=
> >> http://archiva-repository.apache.org, archiva-repository.apache.org
> >> 
> >> The security.properties contains
> >> 
> >> rest.baseUrl=https://archiva-repository.apache.org  (I tried with https
> >> as well)
> >> 
> >> The referer header has value: https://archiva-> >> 
> >> repository.apache.org/archiva/index.html?request_lang=en
> >> 
> >> Activating debug:
> >> 
> >> 2017-04-25 07:49:00,570 [qtp749705282-29] DEBUG
> >> org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >> terceptor [] - Referer Header URL found: https://archiva-repository.
> >> apache.org/archiva/index.html?request_lang=en
> >> 
> >> 2017-04-25 07:49:00,571 [qtp749705282-29] WARN
> >> org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >> terceptor [] - Referer Header Host does not match
> >> refererUrl=https://archiva-> >> 
> >> repository.apache.org/archiva/index.html?request_lang=en, targetUrl=
> >> http://archiva-repository.apache.org, archiva-repository.apache.org
> >> 
> >> 2017-04-25 07:49:00,571 [qtp749705282-29] WARN
> >> org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >> terceptor [] - HTTP Header check failed. Assuming CSRF attack.
> >> 
> >> 
> >> Well I can disable that but I'd like to not have too many users
> >> complaining :-)
> >> 
> >> On 25 April 2017 at 16:54, Martin Stockhammer 
> >> 
> >> wrote:
> >>> Hi,
> >>> 
> >>> It's behind a reverse proxy or something similar?
> >>> I think it's the request url. It is determined automatically. But you
> >>> can set a redback configuration property.
> >>> In security.properties set
> >>> rest.baseUrl=http://archiva-repository.apache.org
> >>> 
> >>> Cheers
> >>> 
> >>> Martin
> >>> 
> >>> Am 25. April 2017 01:59:29 MESZ schrieb Olivier Lamy :
>  Hi Martin,
>  Thanks for your effort with the release!!
>  Works fine locally, all sigs are ok!
>  I installed the version for
>  https://archiva-repository.apache.org/archiva/
>  but I have a problem as cannot log anymore because some REST resources
>  are
>  marked as 403.
>  In this particular case:
>  https://archiva-repository.apache.org/archiva/restServices/archivaServi
>  ces/commonServices/getAllI18nResources Any idea?
>  
>  On 24 April 2017 at 05:01, Martin  wrote:
>   Hi,
>   
> >  I think I now have everything ready and I'd like to release Apache
> >  Archiva
> >  2.2.2
> > 

Re: [VOTE] Apache Archiva 2.2.2

[Olivier Lamy]

I will try some debugging as well on the archiva instance.
I think yes you will have to cut an other release.
Perso I don't mind you use a new tag (2.2.3) as you prefer.
But first find the issue :-)


On 25 April 2017 at 19:01, Martin Stockhammer  wrote:

> Yes, you are right. This should be fixed. Currently I don't know why the
> host name doesn't match, but will try to reproduce. Had no reverse proxy
> environment to check this thoroughly.
> But that means I need to create a new version, right?
>
> Cheers
>
> Martin
>
>
>
>
>
>
> Am 25. April 2017 09:51:06 MESZ schrieb Olivier Lamy :
>>
>> Hi
>> Yes it's behind a reverse proxy
>> logs says
>>
>> 2017-04-25 07:39:21,524 [qtp1564314458-63] WARN
>> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>> [] - Referer Header Host does not match refererUrl=https://archiva-
>> repository.apache.org/archiva/index.html?request_lang=en, targetUrl=
>> http://archiva-repository.apache.org, archiva-repository.apache.org
>>
>> The security.properties contains
>>
>> rest.baseUrl=https://archiva-repository.apache.org  (I tried with https
>> as well)
>>
>> The referer header has value: https://archiva-
>> repository.apache.org/archiva/index.html?request_lang=en
>>
>> Activating debug:
>>
>> 2017-04-25 07:49:00,570 [qtp749705282-29] DEBUG
>> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>> [] - Referer Header URL found: https://archiva-repository.
>> apache.org/archiva/index.html?request_lang=en
>>
>> 2017-04-25 07:49:00,571 [qtp749705282-29] WARN
>> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>> [] - Referer Header Host does not match refererUrl=https://archiva-
>> repository.apache.org/archiva/index.html?request_lang=en, targetUrl=
>> http://archiva-repository.apache.org, archiva-repository.apache.org
>>
>> 2017-04-25 07:49:00,571 [qtp749705282-29] WARN
>> org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>> [] - HTTP Header check failed. Assuming CSRF attack.
>>
>>
>> Well I can disable that but I'd like to not have too many users
>> complaining :-)
>>
>> On 25 April 2017 at 16:54, Martin Stockhammer 
>> wrote:
>>
>>> Hi,
>>>
>>> It's behind a reverse proxy or something similar?
>>> I think it's the request url. It is determined automatically. But you
>>> can set a redback configuration property.
>>> In security.properties set
>>> rest.baseUrl=http://archiva-repository.apache.org
>>>
>>> Cheers
>>>
>>> Martin
>>>
>>>
>>> Am 25. April 2017 01:59:29 MESZ schrieb Olivier Lamy :

 Hi Martin,
 Thanks for your effort with the release!!
 Works fine locally, all sigs are ok!
 I installed the version for https://archiva-repository.apache.org/archiva/
 but I have a problem as cannot log anymore because some REST resources are
 marked as 403.
 In this particular case:
 https://archiva-repository.apache.org/archiva/restServices/archivaServices/commonServices/getAllI18nResources
 Any idea?

 On 24 April 2017 at 05:01, Martin  wrote:

  Hi,
>
>  I think I now have everything ready and I'd like to release Apache 
> Archiva
>  2.2.2
>
>  Note this vote include some parent poms, and redback core.
>
>  We fixed these issues:
>  https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>  projectId=12316920=12335832
>
>  The staging repository is available here:
>  https://archiva-repository.apache.org/archiva/repository/
>  archiva-releases-stage/
>
>  Dist artifacts here: https://dist.apache.org/repos/dist/dev/archiva/
>
>  Vote open for 72H
>  [+1]
>  [0]
>  [-1]
>
>  Greetings
>  --
>  Martin Stockhammer





>>> --
>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>>
>>
>>
>>
>> --
>> Olivier Lamy
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>
>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>



-- 
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy

Re: [VOTE] Apache Archiva 2.2.2

[Martin Stockhammer]

Yes, you are right. This should be fixed. Currently I don't know why the host 
name doesn't match, but will try to reproduce. Had no reverse proxy environment 
to check this thoroughly. 
But that means I need to create a new version, right? 

Cheers

Martin





Am 25. April 2017 09:51:06 MESZ schrieb Olivier Lamy :
>Hi
>Yes it's behind a reverse proxy
>logs says
>
>2017-04-25 07:39:21,524 [qtp1564314458-63] WARN
>org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>[] - Referer Header Host does not match refererUrl=
>https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
>targetUrl=http://archiva-repository.apache.org,
>archiva-repository.apache.org
>
>The security.properties contains
>
>rest.baseUrl=https://archiva-repository.apache.org  (I tried with https
>as
>well)
>
>The referer header has value:
>https://archiva-repository.apache.org/archiva/index.html?request_lang=en
>
>Activating debug:
>
>2017-04-25 07:49:00,570 [qtp749705282-29] DEBUG
>org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>[] - Referer Header URL found:
>https://archiva-repository.apache.org/archiva/index.html?request_lang=en
>
>2017-04-25 07:49:00,571 [qtp749705282-29] WARN
>org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>[] - Referer Header Host does not match refererUrl=
>https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
>targetUrl=http://archiva-repository.apache.org,
>archiva-repository.apache.org
>
>2017-04-25 07:49:00,571 [qtp749705282-29] WARN
>org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
>[] - HTTP Header check failed. Assuming CSRF attack.
>
>
>Well I can disable that but I'd like to not have too many users
>complaining
>:-)
>
>On 25 April 2017 at 16:54, Martin Stockhammer 
>wrote:
>
>> Hi,
>>
>> It's behind a reverse proxy or something similar?
>> I think it's the request url. It is determined automatically. But you
>can
>> set a redback configuration property.
>> In security.properties set
>> rest.baseUrl=http://archiva-repository.apache.org
>>
>> Cheers
>>
>> Martin
>>
>>
>> Am 25. April 2017 01:59:29 MESZ schrieb Olivier Lamy
>:
>>>
>>> Hi Martin,
>>> Thanks for your effort with the release!!
>>> Works fine locally, all sigs are ok!
>>> I installed the version for
>https://archiva-repository.apache.org/archiva/
>>> but I have a problem as cannot log anymore because some REST
>resources are
>>> marked as 403.
>>> In this particular case:
>>>
>https://archiva-repository.apache.org/archiva/restServices/archivaServices/commonServices/getAllI18nResources
>>> Any idea?
>>>
>>> On 24 April 2017 at 05:01, Martin  wrote:
>>>
>>>  Hi,

  I think I now have everything ready and I'd like to release Apache
>Archiva
  2.2.2

  Note this vote include some parent poms, and redback core.

  We fixed these issues:
  https://issues.apache.org/jira/secure/ReleaseNote.jspa?
  projectId=12316920=12335832

  The staging repository is available here:
  https://archiva-repository.apache.org/archiva/repository/
  archiva-releases-stage/

  Dist artifacts here:
>https://dist.apache.org/repos/dist/dev/archiva/

  Vote open for 72H
  [+1]
  [0]
  [-1]

  Greetings
  --
  Martin Stockhammer
>>>
>>>
>>>
>>>
>>>
>> --
>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>>
>
>
>
>-- 
>Olivier Lamy
>http://twitter.com/olamy | http://linkedin.com/in/olamy

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: [VOTE] Apache Archiva 2.2.2

[Olivier Lamy]

Hi
Yes it's behind a reverse proxy
logs says

2017-04-25 07:39:21,524 [qtp1564314458-63] WARN
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - Referer Header Host does not match refererUrl=
https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
targetUrl=http://archiva-repository.apache.org,
archiva-repository.apache.org

The security.properties contains

rest.baseUrl=https://archiva-repository.apache.org  (I tried with https as
well)

The referer header has value:
https://archiva-repository.apache.org/archiva/index.html?request_lang=en

Activating debug:

2017-04-25 07:49:00,570 [qtp749705282-29] DEBUG
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - Referer Header URL found:
https://archiva-repository.apache.org/archiva/index.html?request_lang=en

2017-04-25 07:49:00,571 [qtp749705282-29] WARN
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - Referer Header Host does not match refererUrl=
https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
targetUrl=http://archiva-repository.apache.org,
archiva-repository.apache.org

2017-04-25 07:49:00,571 [qtp749705282-29] WARN
org.apache.archiva.redback.rest.services.interceptors.RequestValidationInterceptor
[] - HTTP Header check failed. Assuming CSRF attack.


Well I can disable that but I'd like to not have too many users complaining
:-)

On 25 April 2017 at 16:54, Martin Stockhammer  wrote:

> Hi,
>
> It's behind a reverse proxy or something similar?
> I think it's the request url. It is determined automatically. But you can
> set a redback configuration property.
> In security.properties set
> rest.baseUrl=http://archiva-repository.apache.org
>
> Cheers
>
> Martin
>
>
> Am 25. April 2017 01:59:29 MESZ schrieb Olivier Lamy :
>>
>> Hi Martin,
>> Thanks for your effort with the release!!
>> Works fine locally, all sigs are ok!
>> I installed the version for https://archiva-repository.apache.org/archiva/
>> but I have a problem as cannot log anymore because some REST resources are
>> marked as 403.
>> In this particular case:
>> https://archiva-repository.apache.org/archiva/restServices/archivaServices/commonServices/getAllI18nResources
>> Any idea?
>>
>> On 24 April 2017 at 05:01, Martin  wrote:
>>
>>  Hi,
>>>
>>>  I think I now have everything ready and I'd like to release Apache Archiva
>>>  2.2.2
>>>
>>>  Note this vote include some parent poms, and redback core.
>>>
>>>  We fixed these issues:
>>>  https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>>>  projectId=12316920=12335832
>>>
>>>  The staging repository is available here:
>>>  https://archiva-repository.apache.org/archiva/repository/
>>>  archiva-releases-stage/
>>>
>>>  Dist artifacts here: https://dist.apache.org/repos/dist/dev/archiva/
>>>
>>>  Vote open for 72H
>>>  [+1]
>>>  [0]
>>>  [-1]
>>>
>>>  Greetings
>>>  --
>>>  Martin Stockhammer
>>
>>
>>
>>
>>
> --
> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
>



-- 
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy