continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Maria Catherine Tan (JIRA)" <j...@codehaus.org>
Subject [jira] Commented: (CONTINUUM-1723) wrong password use and chaching during add maven2 project
Date Thu, 22 May 2008 06:33:22 GMT

    [ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=135679#action_135679
] 

Maria Catherine Tan commented on CONTINUUM-1723:
------------------------------------------------

I was able to add maven 2 project by typing a correct username/password after entering an
incorrect one (with or without using scm credentials cache)

> wrong password use and chaching during add maven2 project
> ---------------------------------------------------------
>
>                 Key: CONTINUUM-1723
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-1723
>             Project: Continuum
>          Issue Type: Bug
>          Components: Integration - Maven 2, Security, Web interface
>    Affects Versions: 1.1
>         Environment: linux system, plexus server, (maestro1.5.1 bundle)
>            Reporter: David Delbecq
>            Priority: Critical
>             Fix For: 1.2
>
>
> When adding a maven2 project, if the provided pom.xml url (first field of form) requires
user / pass authentification and you type in the wrong password or wrong username, continuum
caches it and will always use it for the rest of his life. As a result it's impossible to
get the pom.xml, even if you type correct password in field.
> Steps to reproduce
> # go to continuum server
> # Type url of a pom.xml that requires server "basic" authentification
> # Type in any user/pass for that url that is incorrect (eg: foo:bar)
> # Click add
> # Pages show up form again telling "there was a problem getting the pom.xml"
> # Type in correct user/password
> # Click add
> # Pages show up again telling same problem
> # logout, login, try again with correct user/password
> # Still impossible 
> # Logout , close your browser, clean your cookies and everything
> # Login, try again with correct user/password
> # Still impossible
> # shutdown continuum server and it's JVM, restart it
> # Login, try again with correct user/password
> # *Success!*
> # Try to add a second project, with another url on *same* http server, with incorrect
user/pass
> # *Success!*
> As a conclusion, continuum caches somewhere the first user / pass, even if incorrect,
and will reuse it everytime you access this server. This is a problem in an environment where
multiple teams share a common continuum server, a common svn server (with different access
rights at different project nodes) and have rights to add projects. The first team member
to add a project will have have his user/password right forced to every other users trying
to add project.
> The only solution i found so far is, after adding a project, to shutdown the jvm hosting
continuum and restart it.
> Behind the scene:
> sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in
add project, always uses the same basic authentification, whatever the user type in in user/pass
boxes. It's always the first attempt that get used

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message