From issues-return-1098-apmail-continuum-issues-archive=continuum.apache.org@continuum.apache.org Sun Jun 01 22:47:26 2008 Return-Path: Delivered-To: apmail-continuum-issues-archive@www.apache.org Received: (qmail 10846 invoked from network); 1 Jun 2008 22:47:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 1 Jun 2008 22:47:26 -0000 Received: (qmail 26298 invoked by uid 500); 1 Jun 2008 22:47:29 -0000 Delivered-To: apmail-continuum-issues-archive@continuum.apache.org Received: (qmail 26279 invoked by uid 500); 1 Jun 2008 22:47:29 -0000 Mailing-List: contact issues-help@continuum.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@continuum.apache.org Delivered-To: mailing list issues@continuum.apache.org Received: (qmail 26268 invoked by uid 99); 1 Jun 2008 22:47:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Jun 2008 15:47:29 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [63.246.2.115] (HELO codehaus01.managed.contegix.com) (63.246.2.115) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Jun 2008 22:46:40 +0000 Received: from codehaus01.managed.contegix.com (localhost.localdomain [127.0.0.1]) by codehaus01.managed.contegix.com (Postfix) with ESMTP id 97AEE14A803E for ; Sun, 1 Jun 2008 17:46:56 -0500 (CDT) Message-ID: <3611269.1212360414050.JavaMail.haus-jira@codehaus01.managed.contegix.com> Date: Sun, 1 Jun 2008 17:46:54 -0500 (CDT) From: "Olivier Lamy (JIRA)" To: issues@continuum.apache.org Subject: [jira] Closed: (CONTINUUM-1723) wrong password use and chaching during add maven2 project In-Reply-To: <3055668.1207905058354.JavaMail.haus-jira@codehaus01.managed.contegix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ http://jira.codehaus.org/browse/CONTINUUM-1723?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Lamy closed CONTINUUM-1723. ----------------------------------- Assignee: Olivier Lamy Resolution: Cannot Reproduce Fix Version/s: (was: 1.2) I have done exactly the same steps. But for me at step 8, it works. If you have again the issue please reopen it. > wrong password use and chaching during add maven2 project > --------------------------------------------------------- > > Key: CONTINUUM-1723 > URL: http://jira.codehaus.org/browse/CONTINUUM-1723 > Project: Continuum > Issue Type: Bug > Components: Integration - Maven 2, Security, Web interface > Affects Versions: 1.1 > Environment: linux system, plexus server, (maestro1.5.1 bundle) > Reporter: David Delbecq > Assignee: Olivier Lamy > Priority: Critical > > When adding a maven2 project, if the provided pom.xml url (first field of form) requires user / pass authentification and you type in the wrong password or wrong username, continuum caches it and will always use it for the rest of his life. As a result it's impossible to get the pom.xml, even if you type correct password in field. > Steps to reproduce > # go to continuum server > # Type url of a pom.xml that requires server "basic" authentification > # Type in any user/pass for that url that is incorrect (eg: foo:bar) > # Click add > # Pages show up form again telling "there was a problem getting the pom.xml" > # Type in correct user/password > # Click add > # Pages show up again telling same problem > # logout, login, try again with correct user/password > # Still impossible > # Logout , close your browser, clean your cookies and everything > # Login, try again with correct user/password > # Still impossible > # shutdown continuum server and it's JVM, restart it > # Login, try again with correct user/password > # *Success!* > # Try to add a second project, with another url on *same* http server, with incorrect user/pass > # *Success!* > As a conclusion, continuum caches somewhere the first user / pass, even if incorrect, and will reuse it everytime you access this server. This is a problem in an environment where multiple teams share a common continuum server, a common svn server (with different access rights at different project nodes) and have rights to add projects. The first team member to add a project will have have his user/password right forced to every other users trying to add project. > The only solution i found so far is, after adding a project, to shutdown the jvm hosting continuum and restart it. > Behind the scene: > sniffing of protocol show clearly that continuum, when "getting" the pom mentionned in add project, always uses the same basic authentification, whatever the user type in in user/pass boxes. It's always the first attempt that get used -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira