archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin <marti...@apache.org>
Subject Re: Rest validation url
Date Mon, 08 May 2017 19:31:41 GMT
After reconsidering the configuration process I think security.properties 
cannot really work (as I think it should have worked).
When the redback runtime configuration properties are changed (e.g. via the 
WebUI) . The whole property set (inclusive defaults) is written to 
archiva.xml. And these values always overwrite the values of 
security.properties.
So security.properties is included because of historic reasons, to allow 
better migration of existing configurations. But after the properties are 
written to archiva.xml, the values in security.properties are not relevant 
anymore.

Greetings

Martin


Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> Hi Olivier,
> 
> it seems the security.properties is ignored (at least when the configuration
> is read by the interceptor). I thought the files are read in the order as
> defined in applicationContext.xml but that seems not to be the case.
> 
> So for the first start, could you please put it in archiva.xml:
>   <redbackRuntimeConfiguration>
> ...
>     <configurationProperties>
> ...
>       <rest>
>         <csrffilter>
>           <enabled>true</enabled>
>           <disableTokenValidation>false</disableTokenValidation>
>           <absentorigin>
>             <deny>true</deny>
>           </absentorigin>
>         </csrffilter>
>         <baseUrl>http://archiva-repository.apache.org</baseUrl>
>         <baseUrl>http://localhost:9191</baseUrl>
>         <baseUrl>https://archiva-repository.apache.org</baseUrl>
>       </rest>
> ...
>    </configurationProperties>
> ...
> </redbackRuntimeConfiguration>
> 
> And could you please set the log level for the interceptor to trace:
> 
> <logger
> name="org.apache.archiva.redback.rest.services.interceptors.RequestValidatio
> nInterceptor" level="trace" />
> 
> 
> And for the dynamic case (ignored configuration) the retrieval of the target
> URL seems not to work as expected. It would be helpful, if you could
> extract/ log the HTTP headers that are sent with the request.
> I'm not sure, if jetty in this version can log HTTP headers. Another
> possibility would be tcpdump on the server.
> 
> Thanks for your help.
> 
> 
> Martin
> 
> Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > I have a security.properties file in
> > ${appserver.base}/conf with this but doesn't work.
> > 
> > rest.baseUrl=http://archiva-repository.apache.org,http://localhost:9191,
> > https://archiva-repository.apache.org
> > 
> > rest.csrffilter.enabled=false
> > 
> > 
> > But still getting
> > 
> > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > 
> >  org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >  te
> > 
> > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > 
> > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > 
> >  org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >  te
> > 
> > rceptor [] - Referer Header does not match: refererUrl=
> > https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> > targetUrl=
> > http://localhost:9191/restServices/archivaServices/commonServices/getAllI1
> > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> > [qtp1614464539-68] WARN
> > 
> >  org.apache.archiva.redback.rest.services.interceptors.RequestValidationIn
> >  te
> > 
> > rceptor [] - Referer Header does not match: refererUrl=
> > https://archiva-repository.apache.org/archiva/index.html?request_lang=en,
> > targetUrl=http://archiva-repository.apache.org,
> > archiva-repository.apache.org. Matches: Host=false, Port=false
> > 
> > On 8 May 2017 at 21:09, Olivier Lamy <olamy@apache.org> wrote:
> > > uhm I talked too fast :-(
> > > Let me check more seriously
> > > 
> > > On 8 May 2017 at 20:57, Olivier Lamy <olamy@apache.org> wrote:
> > >> Hi
> > >> I missed to say but all good here
> > >> Thanks!!
> > >> Olivier
> > >> 
> > >> On 28 April 2017 at 22:26, Olivier Lamy <olamy@apache.org> wrote:
> > >>> Hi
> > >>> I stopped Archiva.
> > >>> It's now restarted builds will be deployed.
> > >>> I will try to test during the weekend.
> > >>> Thanks!
> > >>> Olivier
> > >>> 
> > >>> On 28 April 2017 at 15:34, Martin Stockhammer <martin_s@apache.org>
> > >>> 
> > >>> wrote:
> > >>>> Hi Olivier,
> > >>>> 
> > >>>> I think I have fixed the configuration issue. And modified the
header
> > >>>> checks. You should be able to add a comma separated list for the
> > >>>> rest.baseUrl param.
> > >>>> Could you please check with the latest source. The Jenkins builds
> > >>>> currently fail, because there seems something wrong with the
> > >>>> repository
> > >>>> server or the latest snapshot builds that were uploaded. I'm not
sure
> > >>>> if
> > >>>> this is related to your changes on the repository server or another
> > >>>> issue.
> > >>>> 
> > >>>> Cheers
> > >>>> 
> > >>>> Martin
> > >>>> 
> > >>>> 
> > >>>> 
> > >>>> --
> > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
> > >>> 
> > >>> --
> > >>> Olivier Lamy
> > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > >> 
> > >> --
> > >> Olivier Lamy
> > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > 
> > > --
> > > Olivier Lamy
> > > http://twitter.com/olamy | http://linkedin.com/in/olamy



Mime
View raw message