Return-Path: Delivered-To: apmail-archiva-commits-archive@www.apache.org Received: (qmail 39210 invoked from network); 6 Oct 2008 09:05:43 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Oct 2008 09:05:43 -0000 Received: (qmail 12804 invoked by uid 500); 6 Oct 2008 09:05:42 -0000 Delivered-To: apmail-archiva-commits-archive@archiva.apache.org Received: (qmail 12780 invoked by uid 500); 6 Oct 2008 09:05:42 -0000 Mailing-List: contact commits-help@archiva.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@archiva.apache.org Delivered-To: mailing list commits@archiva.apache.org Received: (qmail 12771 invoked by uid 99); 6 Oct 2008 09:05:42 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2008 02:05:42 -0700 X-ASF-Spam-Status: No, hits=-1999.9 required=10.0 tests=ALL_TRUSTED,DNS_FROM_SECURITYSAGE X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Oct 2008 09:04:38 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id B240323888D5; Mon, 6 Oct 2008 02:05:13 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r702027 - in /archiva/trunk: ./ archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ archiva-modules/arch... Date: Mon, 06 Oct 2008 09:05:11 -0000 To: commits@archiva.apache.org From: oching@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20081006090513.B240323888D5@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: oching Date: Mon Oct 6 02:05:09 2008 New Revision: 702027 URL: http://svn.apache.org/viewvc?rev=702027&view=rev Log: merged from archiva-security-fix trunk changes: -fix security issue -added RepositoryServletSecurityTest and ArchivaServletAuthenticatorTest test cases Added: archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java - copied unchanged from r702024, archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java - copied unchanged from r702024, archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml - copied unchanged from r702024, archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/WEB-INF/repository-servlet-security-test/ - copied from r702024, archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/resources/WEB-INF/repository-servlet-security-test/ archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/WEB-INF/repository-servlet-security-test/web.xml - copied unchanged from r702024, archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/resources/WEB-INF/repository-servlet-security-test/web.xml Modified: archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaXworkUser.java archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml archiva/trunk/pom.xml Modified: archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java Mon Oct 6 02:05:09 2008 @@ -93,11 +93,18 @@ return true; } - public boolean isAuthorized( String principal, String repoId ) + public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) throws UnauthorizedException { try { + String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS; + + if ( isWriteRequest ) + { + permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD; + } + User user = securitySystem.getUserManager().findUser( principal ); if ( user.isLocked() ) { @@ -107,8 +114,7 @@ AuthenticationResult authn = new AuthenticationResult( true, principal, null ); SecuritySession securitySession = new DefaultSecuritySession( authn, user ); - return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, - repoId ); + return securitySystem.isAuthorized( securitySession, permission, repoId ); } catch ( UserNotFoundException e ) { Modified: archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaXworkUser.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaXworkUser.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaXworkUser.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaXworkUser.java Mon Oct 6 02:05:09 2008 @@ -85,4 +85,9 @@ return guest; } + + public void setGuest( String guesT ) + { + guest = guesT; + } } Modified: archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java Mon Oct 6 02:05:09 2008 @@ -35,12 +35,46 @@ */ public interface ServletAuthenticator { + /** + * Authentication check for users. + * + * @param request + * @param result + * @return + * @throws AuthenticationException + * @throws AccountLockedException + * @throws MustChangePasswordException + */ public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result ) throws AuthenticationException, AccountLockedException, MustChangePasswordException; + /** + * Authorization check for valid users. + * + * @param request + * @param securitySession + * @param repositoryId + * @param isWriteRequest + * @return + * @throws AuthorizationException + * @throws UnauthorizedException + */ public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException; - public boolean isAuthorized( String principal, String repoId ) + /** + * Authorization check specific for user guest, which doesn't go through + * HttpBasicAuthentication#getAuthenticationResult( HttpServletRequest request, HttpServletResponse response ) + * since no credentials are attached to the request. + * + * See also MRM-911 + * + * @param principal + * @param repoId + * @param isWriteRequest + * @return + * @throws UnauthorizedException + */ + public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) throws UnauthorizedException; } Modified: archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java Mon Oct 6 02:05:09 2008 @@ -19,19 +19,9 @@ * under the License. */ -import java.io.File; import java.util.List; -import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; -import org.apache.maven.archiva.configuration.ArchivaConfiguration; -import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; -import org.codehaus.plexus.spring.PlexusInSpringTestCase; -import org.codehaus.plexus.redback.rbac.RBACManager; -import org.codehaus.plexus.redback.role.RoleManager; -import org.codehaus.plexus.redback.system.SecuritySystem; -import org.codehaus.plexus.redback.users.User; -import org.codehaus.plexus.redback.users.UserManager; /** * DefaultUserRepositoriesTest @@ -40,24 +30,14 @@ * @version $Id$ */ public class DefaultUserRepositoriesTest - extends PlexusInSpringTestCase -{ - private static final String USER_GUEST = "guest"; - - private static final String USER_ADMIN = "admin"; - - private static final String USER_ALPACA = "alpaca"; - - private SecuritySystem securitySystem; - - private RBACManager rbacManager; - - private RoleManager roleManager; - - private ArchivaConfiguration archivaConfiguration; - - private UserRepositories userRepos; - + extends AbstractSecurityTest +{ + @Override + protected String getPlexusConfigLocation() + { + return "org/apache/maven/archiva/security/DefaultUserRepositoriesTest.xml"; + } + public void testGetObservableRepositoryIds() throws Exception { @@ -98,78 +78,9 @@ } } - private void setupRepository( String repoId ) - throws Exception - { - // Add repo to configuration. - ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration(); - repoConfig.setId( repoId ); - repoConfig.setName( "Testable repo <" + repoId + ">" ); - repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) ); - archivaConfiguration.getConfiguration().addManagedRepository( repoConfig ); - - // Add repo roles to security. - userRepos.createMissingRepositoryRoles( repoId ); - } - private void assignGlobalRepositoryObserverRole( String principal ) throws Exception { roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GLOBAL_REPOSITORY_OBSERVER, principal ); } - - private void assignRepositoryObserverRole( String principal, String repoId ) - throws Exception - { - roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal ); - } - - private User createUser( String principal, String fullname ) - { - UserManager userManager = securitySystem.getUserManager(); - - User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" ); - securitySystem.getPolicy().setEnabled( false ); - userManager.addUser( user ); - securitySystem.getPolicy().setEnabled( true ); - - return user; - } - - @Override - protected void setUp() - throws Exception - { - super.setUp(); - - File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" ); - File destConfig = getTestFile( "target/test-conf/archiva.xml" ); - - destConfig.getParentFile().mkdirs(); - destConfig.delete(); - - FileUtils.copyFile( srcConfig, destConfig ); - - securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" ); - rbacManager = (RBACManager) lookup( RBACManager.class, "memory" ); - roleManager = (RoleManager) lookup( RoleManager.class, "default" ); - userRepos = (UserRepositories) lookup( UserRepositories.class, "default" ); - archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class ); - - // Some basic asserts. - assertNotNull( securitySystem ); - assertNotNull( rbacManager ); - assertNotNull( roleManager ); - assertNotNull( userRepos ); - assertNotNull( archivaConfiguration ); - - // Setup Admin User. - User adminUser = createUser( USER_ADMIN, "Admin User" ); - roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() ); - - // Setup Guest User. - User guestUser = createUser( USER_GUEST, "Guest User" ); - roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() ); - - } } Modified: archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java Mon Oct 6 02:05:09 2008 @@ -186,14 +186,14 @@ { checkLocatorIsInstanceOfRepositoryLocator( locator ); ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator; - + RepositoryGroupConfiguration repoGroupConfig = archivaConfiguration.getConfiguration().getRepositoryGroupsAsMap().get( archivaLocator.getRepositoryId() ); List repositories = new ArrayList(); boolean isGet = WebdavMethodUtil.isReadMethod( request.getMethod() ); boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); - + if ( repoGroupConfig != null ) { if( WebdavMethodUtil.isWriteMethod( request.getMethod() ) ) @@ -230,7 +230,7 @@ try { - managedRepository = getManagedRepository( repositoryId ); + managedRepository = getManagedRepository( repositoryId ); } catch ( DavException de ) { @@ -241,13 +241,13 @@ DavResource resource = null; if ( !locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) ) - { + { if ( managedRepository != null ) { try { if( isAuthorized( request, repositoryId ) ) - { + { LogicalResource logicalResource = new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) ); @@ -258,12 +258,12 @@ if ( isPut ) { - resource = doPut( managedRepository, request, archivaLocator, logicalResource ); + resource = doPut( managedRepository, request, archivaLocator, logicalResource ); } } } catch ( DavException de ) - { + { e = de; continue; } @@ -273,11 +273,11 @@ e = new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" ); } else - { + { availableResources.add( resource ); String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ); - resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource ); + resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource ); } } else @@ -491,15 +491,16 @@ File rootDirectory = new File( managedRepository.getRepoRoot() ); File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile(); + if ( request.getMethod().equals(HTTP_PUT_METHOD) && !destDir.exists() ) { destDir.mkdirs(); String relPath = PathUtil.getRelative( rootDirectory.getAbsolutePath(), destDir ); triggerAuditEvent( request.getRemoteAddr(), logicalResource.getPath(), relPath, AuditEvent.CREATE_DIR ); } - - File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() ); - + + File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() ); + return new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(), managedRepository.getRepository(), request.getRemoteAddr(), request.getDavSession(), locator, this, mimeTypes, auditListeners, consumers, archivaXworkUser ); @@ -721,9 +722,9 @@ protected boolean isAuthorized( DavServletRequest request, String repositoryId ) throws DavException - { + { try - { + { AuthenticationResult result = httpAuth.getAuthenticationResult( request, null ); SecuritySession securitySession = httpAuth.getSecuritySession(); @@ -732,13 +733,15 @@ WebdavMethodUtil.isWriteMethod( request.getMethod() ) ); } catch ( AuthenticationException e ) - { + { + boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); + // safety check for MRM-911 String guest = archivaXworkUser.getGuest(); try { if( servletAuth.isAuthorized( guest, - ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) ) + ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) ) { return true; } @@ -795,6 +798,8 @@ if( allow ) { + boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); + for( String repository : repositories ) { // for prompted authentication @@ -817,7 +822,7 @@ // for the current user logged in try { - if( servletAuth.isAuthorized( activePrincipal, repository ) ) + if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) ) { getResource( locator, mergedRepositoryContents, logicalResource, repository ); } @@ -909,11 +914,12 @@ } else { + boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); for( String repository : repositories ) { try - { - if( servletAuth.isAuthorized( activePrincipal, repository ) ) + { + if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) ) { allow = true; break; @@ -974,4 +980,14 @@ return true; } } + + public void setServletAuth( ServletAuthenticator servletAuth ) + { + this.servletAuth = servletAuth; + } + + public void setHttpAuth( HttpAuthenticator httpAuth ) + { + this.httpAuth = httpAuth; + } } Modified: archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java Mon Oct 6 02:05:09 2008 @@ -24,6 +24,7 @@ import org.apache.jackrabbit.webdav.DavException; import org.apache.jackrabbit.webdav.DavServletRequest; import org.apache.maven.archiva.webdav.util.RepositoryPathUtil; +import org.apache.maven.archiva.webdav.util.WebdavMethodUtil; import org.apache.maven.archiva.security.ArchivaXworkUser; import org.apache.maven.archiva.security.ServletAuthenticator; import org.codehaus.plexus.redback.authentication.AuthenticationException; @@ -72,12 +73,14 @@ } catch ( AuthenticationException e ) { + boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); + // safety check for MRM-911 String guest = archivaXworkUser.getGuest(); try { if( servletAuth.isAuthorized( guest, - ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) ) + ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) ) { request.setDavSession(new ArchivaDavSession()); return true; Modified: archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java Mon Oct 6 02:05:09 2008 @@ -362,7 +362,7 @@ return true; } - public boolean isAuthorized(String arg0, String arg1) + public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest) throws UnauthorizedException { return true; Modified: archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java Mon Oct 6 02:05:09 2008 @@ -1,21 +1,550 @@ package org.apache.maven.archiva.webdav; -/** - * RepositoryServletSecurityTest +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import java.io.File; +import java.io.IOException; +import java.io.InputStream; + +import javax.servlet.http.HttpServletResponse; + +import net.sf.ehcache.CacheManager; + +import org.apache.commons.io.FileUtils; +import org.apache.jackrabbit.webdav.DavResourceFactory; +import org.apache.jackrabbit.webdav.DavSessionProvider; +import org.apache.maven.archiva.configuration.ArchivaConfiguration; +import org.apache.maven.archiva.configuration.Configuration; +import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; +import org.apache.maven.archiva.security.ArchivaXworkUser; +import org.apache.maven.archiva.security.ServletAuthenticator; +import org.codehaus.plexus.redback.authentication.AuthenticationException; +import org.codehaus.plexus.redback.authentication.AuthenticationResult; +import org.codehaus.plexus.redback.authorization.UnauthorizedException; +import org.codehaus.plexus.redback.system.DefaultSecuritySession; +import org.codehaus.plexus.redback.system.SecuritySession; +import org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator; +import org.codehaus.plexus.redback.xwork.filter.authentication.basic.HttpBasicAuthentication; +import org.codehaus.plexus.spring.PlexusInSpringTestCase; +import org.easymock.MockControl; +import org.easymock.classextension.MockClassControl; +import org.easymock.internal.AlwaysMatcher; + +import com.meterware.httpunit.GetMethodWebRequest; +import com.meterware.httpunit.HttpUnitOptions; +import com.meterware.httpunit.PutMethodWebRequest; +import com.meterware.httpunit.WebRequest; +import com.meterware.httpunit.WebResponse; +import com.meterware.servletunit.InvocationContext; +import com.meterware.servletunit.ServletRunner; +import com.meterware.servletunit.ServletUnitClient; + +/** + * RepositoryServletSecurityTest + * + * Test the flow of the authentication and authorization checks. This does not necessarily + * perform redback security checking. + * * @author Joakim Erdfelt * @version $Id$ */ public class RepositoryServletSecurityTest - extends AbstractRepositoryServletTestCase + extends PlexusInSpringTestCase { - public void testSecuredGet() + protected static final String REPOID_INTERNAL = "internal"; + + protected ServletUnitClient sc; + + protected File repoRootInternal; + + private ServletRunner sr; + + protected ArchivaConfiguration archivaConfiguration; + + private DavSessionProvider davSessionProvider; + + private MockControl servletAuthControl; + + private ServletAuthenticator servletAuth; + + private MockClassControl httpAuthControl; + + private HttpAuthenticator httpAuth; + + private ArchivaXworkUser archivaXworkUser; + + private RepositoryServlet servlet; + + public void setUp() + throws Exception + { + super.setUp(); + + String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath(); + System.setProperty( "appserver.base", appserverBase ); + + File testConf = getTestFile( "src/test/resources/repository-archiva.xml" ); + File testConfDest = new File( appserverBase, "conf/archiva.xml" ); + FileUtils.copyFile( testConf, testConfDest ); + + archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class ); + repoRootInternal = new File( appserverBase, "data/repositories/internal" ); + Configuration config = archivaConfiguration.getConfiguration(); + + config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) ); + saveConfiguration( archivaConfiguration ); + + CacheManager.getInstance().removeCache( "url-failures-cache" ); + + HttpUnitOptions.setExceptionsThrownOnErrorStatus( false ); + + sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) ); + sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() ); + sc = sr.newClient(); + + servletAuthControl = MockControl.createControl( ServletAuthenticator.class ); + servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER ); + servletAuth = (ServletAuthenticator) servletAuthControl.getMock(); + + httpAuthControl = + MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() ); + httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER ); + httpAuth = (HttpAuthenticator) httpAuthControl.getMock(); + + archivaXworkUser = new ArchivaXworkUser(); + archivaXworkUser.setGuest( "guest" ); + + davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser ); + } + + protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location ) { + ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration(); + repo.setId( id ); + repo.setName( name ); + repo.setLocation( location.getAbsolutePath() ); + return repo; + } + + protected void saveConfiguration() + throws Exception + { + saveConfiguration( archivaConfiguration ); + } + + protected void saveConfiguration( ArchivaConfiguration archivaConfiguration ) + throws Exception + { + archivaConfiguration.save( archivaConfiguration.getConfiguration() ); + } + + protected void setupCleanRepo( File repoRootDir ) + throws IOException + { + FileUtils.deleteDirectory( repoRootDir ); + if ( !repoRootDir.exists() ) + { + repoRootDir.mkdirs(); + } + } + + @Override + protected String getPlexusConfigLocation() + { + return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml"; + } + + @Override + protected void tearDown() + throws Exception + { + if ( sc != null ) + { + sc.clearContents(); + } + + if ( sr != null ) + { + sr.shutDown(); + } + + if ( repoRootInternal.exists() ) + { + FileUtils.deleteDirectory(repoRootInternal); + } + + servlet = null; + super.tearDown(); } - - public void testSecuredBrowse() + + // test deploy with invalid user, and guest has no write access to repo + // 401 must be returned + public void testPutWithInvalidUserAndGuestHasNoWriteAccess() + throws Exception { + setupCleanRepo( repoRootInternal ); + + String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar"; + InputStream is = getClass().getResourceAsStream( "/artifact.jar" ); + assertNotNull( "artifact.jar inputstream", is ); + + WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" ); + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), + new AuthenticationException( "Authentication error" ) ); + + servletAuth.isAuthorized( "guest", "internal", true ); + servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); + servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + servlet.service( ic.getRequest(), ic.getResponse() ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + //assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode()); + } + + // test deploy with invalid user, but guest has write access to repo + public void testPutWithInvalidUserAndGuestHasWriteAccess() + throws Exception + { + setupCleanRepo( repoRootInternal ); + + String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar"; + InputStream is = getClass().getResourceAsStream( "/artifact.jar" ); + assertNotNull( "artifact.jar inputstream", is ); + + WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" ); + + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory(); + archivaDavResourceFactory.setHttpAuth( httpAuth ); + archivaDavResourceFactory.setServletAuth( servletAuth ); + + servlet.setResourceFactory( archivaDavResourceFactory ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), + new AuthenticationException( "Authentication error" ) ); + + servletAuth.isAuthorized( "guest", "internal", true ); + servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); + servletAuthControl.setReturnValue( true ); + + // ArchivaDavResourceFactory#isAuthorized() + SecuritySession session = new DefaultSecuritySession(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session ); + servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ), + new AuthenticationException( "Authentication error" ) ); + + // check if guest has write access + servletAuth.isAuthorized( "guest", "internal", true ); + servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); + servletAuthControl.setReturnValue( true ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + servlet.service( ic.getRequest(), ic.getResponse() ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() ); + } + + // test deploy with a valid user with no write access + public void testPutWithValidUserWithNoWriteAccess() + throws Exception + { + setupCleanRepo( repoRootInternal ); + + String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar"; + InputStream is = getClass().getResourceAsStream( "/artifact.jar" ); + assertNotNull( "artifact.jar inputstream", is ); + + WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" ); + + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory(); + archivaDavResourceFactory.setHttpAuth( httpAuth ); + archivaDavResourceFactory.setServletAuth( servletAuth ); + servlet.setResourceFactory( archivaDavResourceFactory ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); + + // ArchivaDavResourceFactory#isAuthorized() + SecuritySession session = new DefaultSecuritySession(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); + servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ), + new UnauthorizedException( "User not authorized" ) ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + servlet.service( ic.getRequest(), ic.getResponse() ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode()); + } + + // test deploy with a valid user with write access + public void testPutWithValidUserWithWriteAccess() + throws Exception + { + setupCleanRepo( repoRootInternal ); + assertTrue( repoRootInternal.exists() ); + + String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar"; + InputStream is = getClass().getResourceAsStream( "/artifact.jar" ); + assertNotNull( "artifact.jar inputstream", is ); + + WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" ); + + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory(); + archivaDavResourceFactory.setHttpAuth( httpAuth ); + archivaDavResourceFactory.setServletAuth( servletAuth ); + + servlet.setResourceFactory( archivaDavResourceFactory ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); + + // ArchivaDavResourceFactory#isAuthorized() + SecuritySession session = new DefaultSecuritySession(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); + servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + servlet.service( ic.getRequest(), ic.getResponse() ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode()); + } + + // test get with invalid user, and guest has read access to repo + public void testGetWithInvalidUserAndGuestHasReadAccess() + throws Exception + { + String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar"; + String expectedArtifactContents = "dummy-commons-lang-artifact"; + + File artifactFile = new File( repoRootInternal, commonsLangJar ); + artifactFile.getParentFile().mkdirs(); + + FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null ); + + WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar ); + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory(); + archivaDavResourceFactory.setHttpAuth( httpAuth ); + archivaDavResourceFactory.setServletAuth( servletAuth ); + + servlet.setResourceFactory( archivaDavResourceFactory ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), + new AuthenticationException( "Authentication error" ) ); + servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true ); + + // ArchivaDavResourceFactory#isAuthorized() + SecuritySession session = new DefaultSecuritySession(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); + servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + WebResponse response = sc.getResponse( request ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() ); + assertEquals( "Expected file contents", expectedArtifactContents, response.getText() ); + } + + // test get with invalid user, and guest has no read access to repo + public void testGetWithInvalidUserAndGuestHasNoReadAccess() + throws Exception + { + String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar"; + String expectedArtifactContents = "dummy-commons-lang-artifact"; + + File artifactFile = new File( repoRootInternal, commonsLangJar ); + artifactFile.getParentFile().mkdirs(); + + FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null ); + + WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar ); + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), + new AuthenticationException( "Authentication error" ) ); + servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + WebResponse response = sc.getResponse( request ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() ); + } + + // test get with valid user with read access to repo + public void testGetWithAValidUserWithReadAccess() + throws Exception + { + String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar"; + String expectedArtifactContents = "dummy-commons-lang-artifact"; + + File artifactFile = new File( repoRootInternal, commonsLangJar ); + artifactFile.getParentFile().mkdirs(); + + FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null ); + + WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar ); + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory(); + archivaDavResourceFactory.setHttpAuth( httpAuth ); + archivaDavResourceFactory.setServletAuth( servletAuth ); + + servlet.setResourceFactory( archivaDavResourceFactory ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); + + // ArchivaDavResourceFactory#isAuthorized() + SecuritySession session = new DefaultSecuritySession(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); + servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + WebResponse response = sc.getResponse( request ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + + assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() ); + assertEquals( "Expected file contents", expectedArtifactContents, response.getText() ); + } + + // test get with valid user with no read access to repo + public void testGetWithAValidUserWithNoReadAccess() + throws Exception + { + String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar"; + String expectedArtifactContents = "dummy-commons-lang-artifact"; + + File artifactFile = new File( repoRootInternal, commonsLangJar ); + artifactFile.getParentFile().mkdirs(); + + FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null ); + + WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar ); + InvocationContext ic = sc.newInvocation( request ); + servlet = (RepositoryServlet) ic.getServlet(); + servlet.setDavSessionProvider( davSessionProvider ); + + ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory(); + archivaDavResourceFactory.setHttpAuth( httpAuth ); + archivaDavResourceFactory.setServletAuth( servletAuth ); + + servlet.setResourceFactory( archivaDavResourceFactory ); + + AuthenticationResult result = new AuthenticationResult(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); + + // ArchivaDavResourceFactory#isAuthorized() + SecuritySession session = new DefaultSecuritySession(); + httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); + httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session ); + servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); + servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ), + new UnauthorizedException( "User not authorized to read repository." ) ); + + httpAuthControl.replay(); + servletAuthControl.replay(); + + WebResponse response = sc.getResponse( request ); + + httpAuthControl.verify(); + servletAuthControl.verify(); + assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() ); } } Modified: archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml URL: http://svn.apache.org/viewvc/archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml (original) +++ archiva/trunk/archiva-modules/archiva-web/archiva-webdav/src/test/resources/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml Mon Oct 6 02:05:09 2008 @@ -68,9 +68,12 @@ default org.apache.maven.archiva.webdav.DefaultDavServerManager DefaultDavServerManager - - proxied - + + + org.apache.maven.archiva.webdav.DavServerComponent + proxied + + @@ -99,174 +102,74 @@ org.apache.maven.archiva.repository.scanner.RepositoryContentConsumers default - org.apache.maven.archiva.web.repository.StubRepositoryContentConsumers + org.apache.maven.archiva.webdav.StubRepositoryContentConsumers - - + org.codehaus.plexus.redback.system.SecuritySystem default org.codehaus.plexus.redback.system.DefaultSecuritySystem - - - org.codehaus.plexus.redback.authentication.AuthenticationManager - authnManager - - - org.codehaus.plexus.redback.authorization.Authorizer - rbac - authorizer - - - org.codehaus.plexus.redback.users.UserManager - memory - userManager - - - org.codehaus.plexus.redback.keys.KeyManager - memory - keyManager - - - org.codehaus.plexus.redback.policy.UserSecurityPolicy - policy - - - - - org.codehaus.plexus.redback.authentication.Authenticator - user-manager - org.codehaus.plexus.redback.authentication.users.UserManagerAuthenticator + + + org.apache.maven.archiva.webdav.ArchivaDavResourceFactory + org.apache.maven.archiva.webdav.ArchivaDavResourceFactory - org.codehaus.plexus.redback.users.UserManager - memory - userManager - - - org.codehaus.plexus.redback.policy.UserSecurityPolicy - securityPolicy - - - - - - org.codehaus.plexus.redback.authentication.Authenticator - keystore - org.codehaus.plexus.redback.authentication.keystore.KeyStoreAuthenticator - - - org.codehaus.plexus.redback.keys.KeyManager - memory - keystore - - - org.codehaus.plexus.redback.users.UserManager - memory - userManager + org.apache.maven.archiva.configuration.ArchivaConfiguration + archivaConfiguration - - - - - org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator - default - org.codehaus.plexus.redback.authorization.rbac.evaluator.DefaultPermissionEvaluator - - - org.codehaus.plexus.redback.users.UserManager - memory - userManager - - - - - - org.codehaus.plexus.redback.authorization.Authorizer - rbac - org.codehaus.plexus.redback.authorization.rbac.RbacAuthorizer - + org.apache.maven.archiva.repository.RepositoryContentFactory + repositoryFactory + - org.codehaus.plexus.redback.rbac.RBACManager - memory - manager + org.apache.maven.archiva.repository.content.RepositoryRequest + repositoryRequest - org.codehaus.plexus.redback.users.UserManager - memory - userManager + org.apache.maven.archiva.proxy.RepositoryProxyConnectors + connectors - org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator - default - evaluator + org.apache.maven.archiva.repository.metadata.MetadataTools + metadataTools - - - - - org.codehaus.plexus.redback.role.RoleManager - default - org.codehaus.plexus.redback.role.DefaultRoleManager - singleton - - org.codehaus.plexus.redback.role.merger.RoleModelMerger - default - modelMerger + org.apache.maven.archiva.security.ServletAuthenticator + servletAuth - org.codehaus.plexus.redback.role.validator.RoleModelValidator - default - modelValidator + org.apache.maven.archiva.webdav.util.MimeTypes + mimeTypes - org.codehaus.plexus.redback.role.processor.RoleModelProcessor - default - modelProcessor + org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator + basic + httpAuth - org.codehaus.plexus.redback.role.template.RoleTemplateProcessor + org.apache.maven.archiva.repository.scanner.RepositoryContentConsumers default - templateProcessor - org.codehaus.plexus.redback.rbac.RBACManager - memory - rbacManager + org.codehaus.plexus.digest.ChecksumFile + checksum - org.codehaus.plexus.PlexusContainer - container + org.codehaus.plexus.digest.Digester + sha1 + digestSha1 - - - - - org.codehaus.plexus.redback.role.processor.RoleModelProcessor - default - org.codehaus.plexus.redback.role.processor.DefaultRoleModelProcessor - - org.codehaus.plexus.redback.rbac.RBACManager - memory - rbacManager + org.codehaus.plexus.digest.Digester + md5 + digestMd5 - - - - - org.codehaus.plexus.redback.role.template.RoleTemplateProcessor - default - org.codehaus.plexus.redback.role.template.DefaultRoleTemplateProcessor - - org.codehaus.plexus.redback.rbac.RBACManager - memory - rbacManager - + org.apache.maven.archiva.security.ArchivaXworkUser + archivaXworkUser + Modified: archiva/trunk/pom.xml URL: http://svn.apache.org/viewvc/archiva/trunk/pom.xml?rev=702027&r1=702026&r2=702027&view=diff ============================================================================== --- archiva/trunk/pom.xml (original) +++ archiva/trunk/pom.xml Mon Oct 6 02:05:09 2008 @@ -205,6 +205,12 @@ test + easymock + easymockclassextension + 1.2 + test + + org.slf4j jcl104-over-slf4j test