archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Reil <>
Subject Re: Access denied WebDAV repository
Date Wed, 28 Mar 2007 07:11:29 GMT

artifact browsing works fine.
A newly created user cannot do direct webdav browsing although he has
the "Repository Observer" role. In a web browser I have to enter my
credentials and I get "Access denied" every time.
With Maven I get the following message:
INFO: Already tried to authenticate with 'Repository local'
authentication realm at xxx.xxxxx.xx, but still receiving: HTTP/1.1 401
Authorization Denied.

When I make "Guest" a "Repository Observer" i can do direct webdav browsing.

Now my question is: what is the difference between "Guest" with
"Repository Observer" role and a new user with "Repository Observer"
role? Why can one of them access the webdav repository and the other one
cannot? Does it have to do with "User Validation" (the "Validated" flag
is not set for the new user)?


Joakim Erdfelt wrote:
> First off. there are 2 forms of browse.
> 1) http://hostname:port/archiva/browse/* (also known as artifact browsing)
> 2) http://hostname:port/archiva/repository/repoid/* (also known as
> direct webdav browsing)
> The first one requires no special roles (yet).
> The second one requires either the "Repository Observer" role for the
> specific {repoid}, or the "Global Repository Observer" role for all
> defined repositories.
> - Joakim
> Markus Reil wrote:
>> Hi Joakim,
>> thanks for your answer.
>> If there were users with less permission than guest, that would be
>> alright for me.
>> What I meant is, that even if I make the new user "Repository Observer"
>> he is still not able to browse the WebDAV repository. I revoked
>> "Repository Observer" from Guest becuase I do not want guests to be able
>> to browse or upload to repositories.
>> Do I have to validate a new user?
>> Thanks,
>> Markus
>> Joakim Erdfelt wrote:
>>> This is a confusing mess of roles ATM.
>>> You just pointed out a flaw in the design of the security.
>>> The roles that the Guest user has are not copied (or linked) to new users.
>>> It is quite possible for new users to have *LESS* permission than a
>>> guest (anonymous) user!
>>> I just discussed this with my partner in security crime, Jesse
>>> McConnell, and we are working on a solution to this oversight.
>>> - Joakim Erdfelt
>>> Markus Reil wrote:
>>>> Hi,
>>>> I built archiva from trunk rev. 521889.
>>>> If I assign the role Repository Observer to Guest I can access the
>>>> repository but I a newly created user.
>>>> The user I created does not have the "Validated" flag set in the User
>>>> Management page. Is that the reason?
>>>> Then how can I validate the user? Is an E-Mail confirmation needed?
>>>> Unfortunately I am not able to send E-Mail from my server.
>>>> Thanks in advance for any help.
>>>> Best Regards,
>>>> Markus

View raw message