archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse McConnell" <jesse.mcconn...@gmail.com>
Subject Re: Access denied WebDAV repository
Date Thu, 03 May 2007 20:12:09 GMT
Guest with Repository Observer will bypass the need for authentication.

My suspicion would be that your not providing authentication
credentials correctly for the user with that role so those requests
are getting denied.

the validation deal has nothing to do with this :)

jesse

On 3/28/07, Markus Reil <markus.reil@mindmatics.de> wrote:
> Hi,
>
> artifact browsing works fine.
> A newly created user cannot do direct webdav browsing although he has
> the "Repository Observer" role. In a web browser I have to enter my
> credentials and I get "Access denied" every time.
> With Maven I get the following message:
> INFO: Already tried to authenticate with 'Repository local'
> authentication realm at xxx.xxxxx.xx, but still receiving: HTTP/1.1 401
> Authorization Denied.
>
> When I make "Guest" a "Repository Observer" i can do direct webdav browsing.
>
> Now my question is: what is the difference between "Guest" with
> "Repository Observer" role and a new user with "Repository Observer"
> role? Why can one of them access the webdav repository and the other one
> cannot? Does it have to do with "User Validation" (the "Validated" flag
> is not set for the new user)?
>
> Thanks,
> Markus
>
>
>
> Joakim Erdfelt wrote:
> > First off. there are 2 forms of browse.
> >
> > 1) http://hostname:port/archiva/browse/* (also known as artifact browsing)
> > 2) http://hostname:port/archiva/repository/repoid/* (also known as
> > direct webdav browsing)
> >
> > The first one requires no special roles (yet).
> > The second one requires either the "Repository Observer" role for the
> > specific {repoid}, or the "Global Repository Observer" role for all
> > defined repositories.
> >
> > - Joakim
> >
> > Markus Reil wrote:
> >> Hi Joakim,
> >>
> >> thanks for your answer.
> >> If there were users with less permission than guest, that would be
> >> alright for me.
> >> What I meant is, that even if I make the new user "Repository Observer"
> >> he is still not able to browse the WebDAV repository. I revoked
> >> "Repository Observer" from Guest becuase I do not want guests to be able
> >> to browse or upload to repositories.
> >> Do I have to validate a new user?
> >>
> >> Thanks,
> >> Markus
> >>
> >> Joakim Erdfelt wrote:
> >>
> >>> This is a confusing mess of roles ATM.
> >>>
> >>> You just pointed out a flaw in the design of the security.
> >>>
> >>> The roles that the Guest user has are not copied (or linked) to new users.
> >>>
> >>> It is quite possible for new users to have *LESS* permission than a
> >>> guest (anonymous) user!
> >>>
> >>> I just discussed this with my partner in security crime, Jesse
> >>> McConnell, and we are working on a solution to this oversight.
> >>>
> >>> - Joakim Erdfelt
> >>>
> >>> Markus Reil wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I built archiva from trunk rev. 521889.
> >>>> If I assign the role Repository Observer to Guest I can access the
> >>>> repository but I a newly created user.
> >>>> The user I created does not have the "Validated" flag set in the User
> >>>> Management page. Is that the reason?
> >>>> Then how can I validate the user? Is an E-Mail confirmation needed?
> >>>> Unfortunately I am not able to send E-Mail from my server.
> >>>>
> >>>> Thanks in advance for any help.
> >>>>
> >>>> Best Regards,
> >>>> Markus
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >
>
>


-- 
jesse mcconnell
jesse.mcconnell@gmail.com

Mime
View raw message