continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Delbecq (JIRA)" <j...@codehaus.org>
Subject [jira] Created: (CONTINUUM-1723) wrong password use and chaching during add maven2 project
Date Fri, 11 Apr 2008 09:10:58 GMT
wrong password use and chaching during add maven2 project
---------------------------------------------------------

                 Key: CONTINUUM-1723
                 URL: http://jira.codehaus.org/browse/CONTINUUM-1723
             Project: Continuum
          Issue Type: Bug
          Components: Integration - Maven 2, Security, Web interface
    Affects Versions: 1.1
         Environment: linux system, plexus server, (maestro1.5.1 bundle)
            Reporter: David Delbecq
            Priority: Critical


When adding a maven2 project, if the provided pom.xml url (first field of form) requires user
/ pass authentification and you type in the wrong password or wrong username, continuum caches
it and will always use it for the rest of his life. As a result it's impossible to get the
pom.xml, even if you type correct password in field.


Steps to reproduce

# go to continuum server
# Type url of a pom.xml that requires server "basic" authentification
# Type in any user/pass for that url that is incorrect (eg: foo:bar)
# Click add
# Pages show up form again telling "there was a problem getting the pom.xml"
# Type in correct user/password
# Click add
# Pages show up again telling same problem
# logout, login, try again with correct user/password
# Still impossible 
# Logout , close your browser, clean your cookies and everything
# Login, try again with correct user/password
# Still impossible
# shutdown continuum server and it's JVM, restart it
# Login, try again with correct user/password
# *Success!*
# Try to add a second project, with another url on *same* http server, with incorrect user/pass
# *Success!*

As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and
will reuse it everytime you access this server. This is a problem in an environment where
multiple teams share a common continuum server, a common svn server (with different access
rights at different project nodes) and have rights to add projects. The first team member
to add a project will have have his user/password right forced to every other users trying
to add project.

The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum
and restart it.


Behind the scene:

sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add
project, always uses the same basic authentification, whatever the user type in in user/pass
boxes. It's always the first attempt that get used


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message