confusing handling of browser-based webdav access for security
--------------------------------------------------------------
Key: MRM-897
URL: http://jira.codehaus.org/browse/MRM-897
Project: Archiva
Issue Type: Bug
Affects Versions: 1.1
Reporter: Brett Porter
Priority: Minor
Fix For: 1.1.x
steps to reproduce:
- access a repository that has read restriction, log in via the HTTP challenge
response and successfully access it
- restart server
- access an artifact URL (do not browse the repository) from the same browser
session.
The logs show:
{code}
2008-07-30 15:51:41,083 [btpool0-9] INFO
org.apache.maven.archiva.security.ArchivaServletAuthenticator - Authorization
Denied [ip=0:0:0:0:0:0:0:1%0,
isWriteRequest=false,permission=archiva-read-repository,repo=testing] : no
matching permissions
{code}
This is a result of the first request coming through such that a null result is
passed to isAuthenticated. The code for that is:
{code}
if ( result != null && !result.isAuthenticated() )
{
throw new AuthenticationException( "User Credentials Invalid" );
}
return true;
{code}
As you can see, a null result is treated as being "authenticated", though there
is really no information as to whether that is the case.
The request later works, so I don't know if this is a bug or not, or just poor
logging.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
