Return-Path: Delivered-To: apmail-maven-archiva-users-archive@locus.apache.org Received: (qmail 78963 invoked from network); 3 May 2007 20:12:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 May 2007 20:12:32 -0000 Received: (qmail 57531 invoked by uid 500); 3 May 2007 20:12:38 -0000 Delivered-To: apmail-maven-archiva-users-archive@maven.apache.org Received: (qmail 57495 invoked by uid 500); 3 May 2007 20:12:38 -0000 Mailing-List: contact archiva-users-help@maven.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: archiva-users@maven.apache.org Delivered-To: mailing list archiva-users@maven.apache.org Received: (qmail 57486 invoked by uid 99); 3 May 2007 20:12:38 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 May 2007 13:12:38 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of jesse.mcconnell@gmail.com designates 66.249.92.173 as permitted sender) Received: from [66.249.92.173] (HELO ug-out-1314.google.com) (66.249.92.173) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 May 2007 13:12:30 -0700 Received: by ug-out-1314.google.com with SMTP id j40so447893ugd for ; Thu, 03 May 2007 13:12:09 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=H6NivxqSLiv7wkfCaTmL42oMbRRsJ9Ho/H1WFb0OyZGAIfhqpB9sb5IKxRG+mQdV9CkWDxMsNcd80rK3z8dskYcudAqXVWWcWqt1oI8TdzxO8XZJqhLYRWLom2LHs6hPDIs7yalovoMv9A0vMxR3RUtvrCw3HHdg5BBMLv97rhk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bKNu82Rtrx12t6eveFZSusxIUiR82QjrZYDED8s/YwOf1WMlAasN6vsxHyJhbO18/c1ExehsVBajEcmvJvZmzp1uMWJ/gmnG+tnbI9NcNZPQiuwF8dptCe6exsdIhWAMxDu429bFIeU/axvAtituLgcMfWKvqBBQNAI2w4xtAzs= Received: by 10.67.115.11 with SMTP id s11mr2142456ugm.1178223129637; Thu, 03 May 2007 13:12:09 -0700 (PDT) Received: by 10.67.71.16 with HTTP; Thu, 3 May 2007 13:12:09 -0700 (PDT) Message-ID: Date: Thu, 3 May 2007 15:12:09 -0500 From: "Jesse McConnell" To: archiva-users@maven.apache.org Subject: Re: Access denied WebDAV repository In-Reply-To: <460A1521.8080202@mindmatics.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <460924D1.7090006@mindmatics.de> <460939C8.9040406@erdfelt.com> <46093A27.7050408@mindmatics.de> <46094288.1040403@erdfelt.com> <460A1521.8080202@mindmatics.de> X-Virus-Checked: Checked by ClamAV on apache.org Guest with Repository Observer will bypass the need for authentication. My suspicion would be that your not providing authentication credentials correctly for the user with that role so those requests are getting denied. the validation deal has nothing to do with this :) jesse On 3/28/07, Markus Reil wrote: > Hi, > > artifact browsing works fine. > A newly created user cannot do direct webdav browsing although he has > the "Repository Observer" role. In a web browser I have to enter my > credentials and I get "Access denied" every time. > With Maven I get the following message: > INFO: Already tried to authenticate with 'Repository local' > authentication realm at xxx.xxxxx.xx, but still receiving: HTTP/1.1 401 > Authorization Denied. > > When I make "Guest" a "Repository Observer" i can do direct webdav browsing. > > Now my question is: what is the difference between "Guest" with > "Repository Observer" role and a new user with "Repository Observer" > role? Why can one of them access the webdav repository and the other one > cannot? Does it have to do with "User Validation" (the "Validated" flag > is not set for the new user)? > > Thanks, > Markus > > > > Joakim Erdfelt wrote: > > First off. there are 2 forms of browse. > > > > 1) http://hostname:port/archiva/browse/* (also known as artifact browsing) > > 2) http://hostname:port/archiva/repository/repoid/* (also known as > > direct webdav browsing) > > > > The first one requires no special roles (yet). > > The second one requires either the "Repository Observer" role for the > > specific {repoid}, or the "Global Repository Observer" role for all > > defined repositories. > > > > - Joakim > > > > Markus Reil wrote: > >> Hi Joakim, > >> > >> thanks for your answer. > >> If there were users with less permission than guest, that would be > >> alright for me. > >> What I meant is, that even if I make the new user "Repository Observer" > >> he is still not able to browse the WebDAV repository. I revoked > >> "Repository Observer" from Guest becuase I do not want guests to be able > >> to browse or upload to repositories. > >> Do I have to validate a new user? > >> > >> Thanks, > >> Markus > >> > >> Joakim Erdfelt wrote: > >> > >>> This is a confusing mess of roles ATM. > >>> > >>> You just pointed out a flaw in the design of the security. > >>> > >>> The roles that the Guest user has are not copied (or linked) to new users. > >>> > >>> It is quite possible for new users to have *LESS* permission than a > >>> guest (anonymous) user! > >>> > >>> I just discussed this with my partner in security crime, Jesse > >>> McConnell, and we are working on a solution to this oversight. > >>> > >>> - Joakim Erdfelt > >>> > >>> Markus Reil wrote: > >>> > >>>> Hi, > >>>> > >>>> I built archiva from trunk rev. 521889. > >>>> If I assign the role Repository Observer to Guest I can access the > >>>> repository but I a newly created user. > >>>> The user I created does not have the "Validated" flag set in the User > >>>> Management page. Is that the reason? > >>>> Then how can I validate the user? Is an E-Mail confirmation needed? > >>>> Unfortunately I am not able to send E-Mail from my server. > >>>> > >>>> Thanks in advance for any help. > >>>> > >>>> Best Regards, > >>>> Markus > >>>> > >>>> > >>>> > >>> > >> > > > > -- jesse mcconnell jesse.mcconnell@gmail.com