archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Lamy <ol...@apache.org>
Subject Re: Rest validation url
Date Wed, 10 May 2017 11:37:20 GMT
Hi Martin
Works fine now with archiva.xml (little issue when not logged I pushed a
fix in master and will deploy on
https://archiva-repository.apache.org/archiva tomorrow)

Yes I agree all this configuration model must be cleaned (some legacy....)


On 9 May 2017 at 05:31, Martin <martin_s@apache.org> wrote:

> After reconsidering the configuration process I think security.properties
> cannot really work (as I think it should have worked).
> When the redback runtime configuration properties are changed (e.g. via the
> WebUI) . The whole property set (inclusive defaults) is written to
> archiva.xml. And these values always overwrite the values of
> security.properties.
> So security.properties is included because of historic reasons, to allow
> better migration of existing configurations. But after the properties are
> written to archiva.xml, the values in security.properties are not relevant
> anymore.
>
> Greetings
>
> Martin
>
>
> Am Montag, 8. Mai 2017, 21:04:13 CEST schrieb Martin:
> > Hi Olivier,
> >
> > it seems the security.properties is ignored (at least when the
> configuration
> > is read by the interceptor). I thought the files are read in the order as
> > defined in applicationContext.xml but that seems not to be the case.
> >
> > So for the first start, could you please put it in archiva.xml:
> >   <redbackRuntimeConfiguration>
> > ...
> >     <configurationProperties>
> > ...
> >       <rest>
> >         <csrffilter>
> >           <enabled>true</enabled>
> >           <disableTokenValidation>false</disableTokenValidation>
> >           <absentorigin>
> >             <deny>true</deny>
> >           </absentorigin>
> >         </csrffilter>
> >         <baseUrl>http://archiva-repository.apache.org</baseUrl>
> >         <baseUrl>http://localhost:9191</baseUrl>
> >         <baseUrl>https://archiva-repository.apache.org</baseUrl>
> >       </rest>
> > ...
> >    </configurationProperties>
> > ...
> > </redbackRuntimeConfiguration>
> >
> > And could you please set the log level for the interceptor to trace:
> >
> > <logger
> > name="org.apache.archiva.redback.rest.services.
> interceptors.RequestValidatio
> > nInterceptor" level="trace" />
> >
> >
> > And for the dynamic case (ignored configuration) the retrieval of the
> target
> > URL seems not to work as expected. It would be helpful, if you could
> > extract/ log the HTTP headers that are sent with the request.
> > I'm not sure, if jetty in this version can log HTTP headers. Another
> > possibility would be tcpdump on the server.
> >
> > Thanks for your help.
> >
> >
> > Martin
> >
> > Am Montag, 8. Mai 2017, 21:16:51 CEST schrieb Olivier Lamy:
> > > I have a security.properties file in
> > > ${appserver.base}/conf with this but doesn't work.
> > >
> > > rest.baseUrl=http://archiva-repository.apache.org,http://
> localhost:9191,
> > > https://archiva-repository.apache.org
> > >
> > > rest.csrffilter.enabled=false
> > >
> > >
> > > But still getting
> > >
> > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > >
> > >  org.apache.archiva.redback.rest.services.interceptors.
> RequestValidationIn
> > >  te
> > >
> > > rceptor [] - HTTP Header check failed. Assuming CSRF attack.
> > >
> > > 2017-05-08 10:59:15,090 [qtp1614464539-68] WARN
> > >
> > >  org.apache.archiva.redback.rest.services.interceptors.
> RequestValidationIn
> > >  te
> > >
> > > rceptor [] - Referer Header does not match: refererUrl=
> > > https://archiva-repository.apache.org/archiva/index.html?
> request_lang=en,
> > > targetUrl=
> > > http://localhost:9191/restServices/archivaServices/
> commonServices/getAllI1
> > > 8n Resources. Matches: Host=false, Port=false2017-05-08 10:59:15,091
> > > [qtp1614464539-68] WARN
> > >
> > >  org.apache.archiva.redback.rest.services.interceptors.
> RequestValidationIn
> > >  te
> > >
> > > rceptor [] - Referer Header does not match: refererUrl=
> > > https://archiva-repository.apache.org/archiva/index.html?
> request_lang=en,
> > > targetUrl=http://archiva-repository.apache.org,
> > > archiva-repository.apache.org. Matches: Host=false, Port=false
> > >
> > > On 8 May 2017 at 21:09, Olivier Lamy <olamy@apache.org> wrote:
> > > > uhm I talked too fast :-(
> > > > Let me check more seriously
> > > >
> > > > On 8 May 2017 at 20:57, Olivier Lamy <olamy@apache.org> wrote:
> > > >> Hi
> > > >> I missed to say but all good here
> > > >> Thanks!!
> > > >> Olivier
> > > >>
> > > >> On 28 April 2017 at 22:26, Olivier Lamy <olamy@apache.org> wrote:
> > > >>> Hi
> > > >>> I stopped Archiva.
> > > >>> It's now restarted builds will be deployed.
> > > >>> I will try to test during the weekend.
> > > >>> Thanks!
> > > >>> Olivier
> > > >>>
> > > >>> On 28 April 2017 at 15:34, Martin Stockhammer <martin_s@apache.org
> >
> > > >>>
> > > >>> wrote:
> > > >>>> Hi Olivier,
> > > >>>>
> > > >>>> I think I have fixed the configuration issue. And modified
the
> header
> > > >>>> checks. You should be able to add a comma separated list for
the
> > > >>>> rest.baseUrl param.
> > > >>>> Could you please check with the latest source. The Jenkins
builds
> > > >>>> currently fail, because there seems something wrong with the
> > > >>>> repository
> > > >>>> server or the latest snapshot builds that were uploaded. I'm
not
> sure
> > > >>>> if
> > > >>>> this is related to your changes on the repository server or
> another
> > > >>>> issue.
> > > >>>>
> > > >>>> Cheers
> > > >>>>
> > > >>>> Martin
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail
> gesendet.
> > > >>>
> > > >>> --
> > > >>> Olivier Lamy
> > > >>> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > >>
> > > >> --
> > > >> Olivier Lamy
> > > >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> > > >
> > > > --
> > > > Olivier Lamy
> > > > http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
>


-- 
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message