[jbosstools-issues] [JBoss JIRA] Issue Comment Edited: (JBDS-1583) Auth failed when accessing JBDS updatesites
Nick Boldt (JIRA)
jira-events at lists.jboss.org
Wed Mar 2 16:56:05 EST 2011
[ https://issues.jboss.org/browse/JBDS-1583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12585548#comment-12585548 ]
Nick Boldt edited comment on JBDS-1583 at 3/2/11 4:54 PM:
----------------------------------------------------------
One workaround here would be to move the update site to an unprotected but obscurely named folder, like
https://devstudio.jboss.com/updates/4.0-SDSDFHLIK23I487IDSFKLWDRUWREF12389DFILANSDD387AO8S7DAS4O8A7SDAKL7ELAW7483LA7
then rather than publish the URL, we give people a zip, like the one attached.
To get updates, they'd manually add the zip via Help > Install new software > Add > Archive > browse for the zip.
This would give them the URL of the site, but buried in a zip file we could put in the CSP. No typing, no passwords, etc.
Only drawback is that the /updates/4.0/ URL would therefore be empty.
In future, we could look at a plugin in JBDS that could somehow resolve credentials from the CSP and use that to get a per-user update site URL which they could use.
Similar to the contents of the zip, we would GENERATE a folder like http://access.redhat.com/whatever/something/something/nboldt@redhat.com/jbds/4.0/updates/ which would contain the composite metadata pointing at the real location of the site.
This is as secure as having a public registration form to get the username/password, in that it could be just as easily blogged/shared and therefore circumvented.
was (Author: nickboldt):
One workaround here would be to move the update site to an unprotected but obscurely named folder, like
https://devstudio.jboss.com/updates/4.0-SDSDFHLIK23I487IDSFKLWDRUWREF12389DFILANSDD387AO8S7DAS4O8A7SDAKL7ELAW7483LA7
then rather than publish the URL, we give people a zip, like the one attached.
To get updates, they'd manually add the zip via Help > Install new software > Add > Archive > browse for the zip.
This would give them the URL of the site, but buried in a zip file we could put in the CSP. No typing, no passwords, etc.
Only drawback is that the /updates/4.0/ URL would therefore be empty.
In future, we could look at a plugin in JBDS that could somehow resolve credentials from the CSP and use that to get a per-user update site URL which they could use.
Similar to the contents of the zip, we could have http://access.redhat.com/whatever/something/something/nboldt@redhat.com/jbds/4.0/updates/ which would contain the composite metadata pointing at the real location of the site.
This is as secure as having a public registration form to get the username/password, in that it could be just as easily blogged/shared and therefore circumvented.
> Auth failed when accessing JBDS updatesites
> -------------------------------------------
>
> Key: JBDS-1583
> URL: https://issues.jboss.org/browse/JBDS-1583
> Project: Developer Studio (JBoss Developer Studio)
> Issue Type: Bug
> Components: updatesite
> Affects Versions: 4.0.0.GA
> Reporter: Libor Zoubek
> Assignee: Nick Boldt
> Priority: Critical
> Attachments: auth_error.png, standalone.zip
>
>
> applies to https://devstudio.jboss.com/updates/4.0/ and https://devstudio.jboss.com/updates/4.0/extras
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jbosstools-issues
mailing list