archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Lamy <ol...@apache.org>
Subject Re: Rest validation url
Date Thu, 11 May 2017 05:25:36 GMT
Hi
just deployed a fresh build to our new instance and all good!!!
Feel free to release.
I will work in parallel to upgrade Jetty (but can be in next release)
Thanks for your hard work!!!



On 11 May 2017 at 07:47, Martin <martin_s@apache.org> wrote:

> Great to hear!
> I added a fix for the dynamic case with the reverse proxy (the header can
> contain host lists as I have learned now).
>
> Additionally I added an improvement for the repository checks (see
> MRM-1933).
>
> If your deployment works well, I would like to restart the release process
> with the current master branch (archiva 2.2.3, redback 2.6).
>
> Greetings
>
> Martin
>
>
>
> Am Mittwoch, 10. Mai 2017, 21:37:20 CEST schrieb Olivier Lamy:
> > Hi Martin
> > Works fine now with archiva.xml (little issue when not logged I pushed a
> > fix in master and will deploy on
> > https://archiva-repository.apache.org/archiva tomorrow)
> >
> > Yes I agree all this configuration model must be cleaned (some
> legacy....)
> >
> > On 9 May 2017 at 05:31, Martin <martin_s@apache.org> wrote:
> > > After reconsidering the configuration process I think
> security.properties
> > > cannot really work (as I think it should have worked).
> > > When the redback runtime configuration properties are changed (e.g. via
> > > the
> > > WebUI) . The whole property set (inclusive defaults) is written to
> > > archiva.xml. And these values always overwrite the values of
> > > security.properties.
> > > So security.properties is included because of historic reasons, to
> allow
> > > better migration of existing configurations. But after the properties
> are
> > > written to archiva.xml, the values in security.properties are not
> relevant
> > > anymore.
> > >
> > > Greetings
> > >
> > > Martin
> > >
> > > Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> > > > Hi Olivier,
> > > >
> > > > it seems the security.properties is ignored (at least when the
> > >
> > > configuration
> > >
> > > > is read by the interceptor). I thought the files are read in the
> order
> > > > as
> > > > defined in applicationContext.xml but that seems not to be the case.
> > > >
> > > > So for the first start, could you please put it in archiva.xml:
> > > >   <redbackRuntimeConfiguration>
> > > >
> > > > ...
> > > >
> > > >     <configurationProperties>
> > > >
> > > > ...
> > > >
> > > >       <rest>
> > > >
> > > >         <csrffilter>
> > > >
> > > >           <enabled>true</enabled>
> > > >           <disableTokenValidation>false</disableTokenValidation>
> > > >           <absentorigin>
> > > >
> > > >             <deny>true</deny>
> > > >
> > > >           </absentorigin>
> > > >
> > > >         </csrffilter>
> > > >         <baseUrl>http://archiva-repository.apache.org</baseUrl>
> > > >         <baseUrl>http://localhost:9191</baseUrl>
> > > >         <baseUrl>https://archiva-repository.apache.org</baseUrl>
> > > >
> > > >       </rest>
> > > >
> > > > ...
> > > >
> > > >    </configurationProperties>
> > > >
> > > > ...
> > > > </redbackRuntimeConfiguration>
> > > >
> > > > And could you please set the log level for the interceptor to trace:
> > > >
> > > > <logger
> > > > name="org.apache.archiva.redback.rest.services.
> > >
> > > interceptors.RequestValidatio
> > >
> > > > nInterceptor" level="trace" />
> > > >
> > > >
> > > > And for the dynamic case (ignored configuration) the retrieval of the
> > >
> > > target
> > >
> > > > URL seems not to work as expected. It would be helpful, if you could
> > > > extract/ log the HTTP headers that are sent with the request.
> > > > I'm not sure, if jetty in this version can log HTTP headers. Another
> > > > possibility would be tcpdump on the server.
> > > >
> > > > Thanks for your help.
> > > >
> > > >
> > > > Martin
> > > >
> > > > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > > > > I have a security.properties file in
> > > > > ${appserver.base}/conf with this but doesn't work.
> > > > >
> > > > > rest.baseUrl=http://archiva-repository.apache.org,http://
> > >
> > > localhost:9191,
> > >
> > > > > https://archiva-repository.apache.org
> > > > >
> > > > > rest.csrffilter.enabled=false
> > > > >
> > > > >
> > > > > But still getting
> > > > >
> > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > > >
> > > > >  org.apache.archiva.redback.rest.services.interceptors.
> > >
> > > RequestValidationIn
> > >
> > > > >  te
> > > > >
> > > > > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > > > >
> > > > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > > > >
> > > > >  org.apache.archiva.redback.rest.services.interceptors.
> > >
> > > RequestValidationIn
> > >
> > > > >  te
> > > > >
> > > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > > https://archiva-repository.apache.org/archiva/index.html?
> > >
> > > request_lang=en,
> > >
> > > > > targetUrl=
> > > > > http://localhost:9191/restServices/archivaServices/
> > >
> > > commonServices/getAllI1
> > >
> > > > > 8n Resources. Matches: Host=false, Port=false2017-05-08
> 10:59:15,091
> > > > > [qtp1614464539-68] WARN
> > > > >
> > > > >  org.apache.archiva.redback.rest.services.interceptors.
> > >
> > > RequestValidationIn
> > >
> > > > >  te
> > > > >
> > > > > rceptor [] - Referer Header does not match: refererUrl=
> > > > > https://archiva-repository.apache.org/archiva/index.html?
> > >
> > > request_lang=en,
> > >
> > > > > targetUrl=http://archiva-repository.apache.org,
> > > > > archiva-repository.apache.org. Matches: Host=false, Port=false
> > > > >
> > > > > On 8 May 2017 at 21:09, Olivier Lamy <olamy@apache.org> wrote:
> > > > > > uhm I talked too fast :-(
> > > > > > Let me check more seriously
> > > > > >
> > > > > > On 8 May 2017 at 20:57, Olivier Lamy <olamy@apache.org>
wrote:
> > > > > >> Hi
> > > > > >> I missed to say but all good here
> > > > > >> Thanks!!
> > > > > >> Olivier
> > > > > >>
> > > > > >> On 28 April 2017 at 22:26, Olivier Lamy <olamy@apache.org>
> wrote:
> > > > > >>> Hi
> > > > > >>> I stopped Archiva.
> > > > > >>> It's now restarted builds will be deployed.
> > > > > >>> I will try to test during the weekend.
> > > > > >>> Thanks!
> > > > > >>> Olivier
> > > > > >>>
> > > > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <
> martin_s@apache.org
> > > > > >>>
> > > > > >>> wrote:
> > > > > >>>> Hi Olivier,
> > > > > >>>>
> > > > > >>>> I think I have fixed the configuration issue. And
modified the
> > >
> > > header
> > >
> > > > > >>>> checks. You should be able to add a comma separated
list for
> the
> > > > > >>>> rest.baseUrl param.
> > > > > >>>> Could you please check with the latest source. The
Jenkins
> builds
> > > > > >>>> currently fail, because there seems something wrong
with the
> > > > > >>>> repository
> > > > > >>>> server or the latest snapshot builds that were uploaded.
I'm
> not
> > >
> > > sure
> > >
> > > > > >>>> if
> > > > > >>>> this is related to your changes on the repository
server or
> > >
> > > another
> > >
> > > > > >>>> issue.
> > > > > >>>>
> > > > > >>>> Cheers
> > > > > >>>>
> > > > > >>>> Martin
> > > > > >>>>
> > > > > >>>>
> > > > > >>>>
> > > > > >>>> --
> > > > > >>>> Diese Nachricht wurde von meinem Android-Gerät
mit K-9 Mail
> > >
> > > gesendet.
> > >
> > > > > >>> --
> > > > > >>> Olivier Lamy
> > > > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > > >>
> > > > > >> --
> > > > > >> Olivier Lamy
> > > > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > > > >
> > > > > > --
> > > > > > Olivier Lamy
> > > > > > http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
>


-- 
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message