archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin <marti...@apache.org>
Subject Re: Rest validation url
Date Wed, 10 May 2017 21:47:16 GMT
Great to hear!
I added a fix for the dynamic case with the reverse proxy (the header can 
contain host lists as I have learned now). 

Additionally I added an improvement for the repository checks (see MRM-1933).

If your deployment works well, I would like to restart the release process 
with the current master branch (archiva 2.2.3, redback 2.6).

Greetings 

Martin



Am Mittwoch, 10. Mai 2017, 21:37:20 CEST schrieb Olivier Lamy:
> Hi Martin
> Works fine now with archiva.xml (little issue when not logged I pushed a
> fix in master and will deploy on
> https://archiva-repository.apache.org/archiva tomorrow)
> 
> Yes I agree all this configuration model must be cleaned (some legacy....)
> 
> On 9 May 2017 at 05:31, Martin <martin_s@apache.org> wrote:
> > After reconsidering the configuration process I think security.properties
> > cannot really work (as I think it should have worked).
> > When the redback runtime configuration properties are changed (e.g. via
> > the
> > WebUI) . The whole property set (inclusive defaults) is written to
> > archiva.xml. And these values always overwrite the values of
> > security.properties.
> > So security.properties is included because of historic reasons, to allow
> > better migration of existing configurations. But after the properties are
> > written to archiva.xml, the values in security.properties are not relevant
> > anymore.
> > 
> > Greetings
> > 
> > Martin
> > 
> > Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> > > Hi Olivier,
> > > 
> > > it seems the security.properties is ignored (at least when the
> > 
> > configuration
> > 
> > > is read by the interceptor). I thought the files are read in the order
> > > as
> > > defined in applicationContext.xml but that seems not to be the case.
> > > 
> > > So for the first start, could you please put it in archiva.xml:
> > >   <redbackRuntimeConfiguration>
> > > 
> > > ...
> > > 
> > >     <configurationProperties>
> > > 
> > > ...
> > > 
> > >       <rest>
> > >       
> > >         <csrffilter>
> > >         
> > >           <enabled>true</enabled>
> > >           <disableTokenValidation>false</disableTokenValidation>
> > >           <absentorigin>
> > >           
> > >             <deny>true</deny>
> > >           
> > >           </absentorigin>
> > >         
> > >         </csrffilter>
> > >         <baseUrl>http://archiva-repository.apache.org</baseUrl>
> > >         <baseUrl>http://localhost:9191</baseUrl>
> > >         <baseUrl>https://archiva-repository.apache.org</baseUrl>
> > >       
> > >       </rest>
> > > 
> > > ...
> > > 
> > >    </configurationProperties>
> > > 
> > > ...
> > > </redbackRuntimeConfiguration>
> > > 
> > > And could you please set the log level for the interceptor to trace:
> > > 
> > > <logger
> > > name="org.apache.archiva.redback.rest.services.
> > 
> > interceptors.RequestValidatio
> > 
> > > nInterceptor" level="trace" />
> > > 
> > > 
> > > And for the dynamic case (ignored configuration) the retrieval of the
> > 
> > target
> > 
> > > URL seems not to work as expected. It would be helpful, if you could
> > > extract/ log the HTTP headers that are sent with the request.
> > > I'm not sure, if jetty in this version can log HTTP headers. Another
> > > possibility would be tcpdump on the server.
> > > 
> > > Thanks for your help.
> > > 
> > > 
> > > Martin
> > > 
> > > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > > > I have a security.properties file in
> > > > ${appserver.base}/conf with this but doesn't work.
> > > > 
> > > > rest.baseUrl=http://archiva-repository.apache.org,http://
> > 
> > localhost:9191,
> > 
> > > > https://archiva-repository.apache.org
> > > > 
> > > > rest.csrffilter.enabled=false
> > > > 
> > > > 
> > > > But still getting
> > > > 
> > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > > 
> > > >  org.apache.archiva.redback.rest.services.interceptors.
> > 
> > RequestValidationIn
> > 
> > > >  te
> > > > 
> > > > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > > > 
> > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > > 
> > > >  org.apache.archiva.redback.rest.services.interceptors.
> > 
> > RequestValidationIn
> > 
> > > >  te
> > > > 
> > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > https://archiva-repository.apache.org/archiva/index.html?
> > 
> > request_lang=en,
> > 
> > > > targetUrl=
> > > > http://localhost:9191/restServices/archivaServices/
> > 
> > commonServices/getAllI1
> > 
> > > > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> > > > [qtp1614464539-68] WARN
> > > > 
> > > >  org.apache.archiva.redback.rest.services.interceptors.
> > 
> > RequestValidationIn
> > 
> > > >  te
> > > > 
> > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > https://archiva-repository.apache.org/archiva/index.html?
> > 
> > request_lang=en,
> > 
> > > > targetUrl=http://archiva-repository.apache.org,
> > > > archiva-repository.apache.org. Matches: Host=false, Port=false
> > > > 
> > > > On 8 May 2017 at 21:09, Olivier Lamy <olamy@apache.org> wrote:
> > > > > uhm I talked too fast :-(
> > > > > Let me check more seriously
> > > > > 
> > > > > On 8 May 2017 at 20:57, Olivier Lamy <olamy@apache.org> wrote:
> > > > >> Hi
> > > > >> I missed to say but all good here
> > > > >> Thanks!!
> > > > >> Olivier
> > > > >> 
> > > > >> On 28 April 2017 at 22:26, Olivier Lamy <olamy@apache.org>
wrote:
> > > > >>> Hi
> > > > >>> I stopped Archiva.
> > > > >>> It's now restarted builds will be deployed.
> > > > >>> I will try to test during the weekend.
> > > > >>> Thanks!
> > > > >>> Olivier
> > > > >>> 
> > > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <martin_s@apache.org
> > > > >>> 
> > > > >>> wrote:
> > > > >>>> Hi Olivier,
> > > > >>>> 
> > > > >>>> I think I have fixed the configuration issue. And modified
the
> > 
> > header
> > 
> > > > >>>> checks. You should be able to add a comma separated list
for the
> > > > >>>> rest.baseUrl param.
> > > > >>>> Could you please check with the latest source. The Jenkins
builds
> > > > >>>> currently fail, because there seems something wrong with
the
> > > > >>>> repository
> > > > >>>> server or the latest snapshot builds that were uploaded.
I'm not
> > 
> > sure
> > 
> > > > >>>> if
> > > > >>>> this is related to your changes on the repository server
or
> > 
> > another
> > 
> > > > >>>> issue.
> > > > >>>> 
> > > > >>>> Cheers
> > > > >>>> 
> > > > >>>> Martin
> > > > >>>> 
> > > > >>>> 
> > > > >>>> 
> > > > >>>> --
> > > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9
Mail
> > 
> > gesendet.
> > 
> > > > >>> --
> > > > >>> Olivier Lamy
> > > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > >> 
> > > > >> --
> > > > >> Olivier Lamy
> > > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > > 
> > > > > --
> > > > > Olivier Lamy
> > > > > http://twitter.com/olamy | http://linkedin.com/in/olamy



Mime
View raw message