403 Forbidden error when using SVNKit and NTLM for authentication in Subversion

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

問題

When a domain / NTLM user (DOMAIN\username) is specified for authentication with Subversion, if using the bundled SVNKit library, the following error gets written in atlassian-fisheye.log:

2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye RepositoryStatus-setMessage - Status change [SVNRepo]: Contacting repository.
2017-02-22 13:19:05,937 INFO  [InitPing3 SVNRepo ] fisheye BaseRepositoryScanner-ping - processing repository SVNRepo (SVNRepo)
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye PartitionedChangeSetPhaseQueues-withRetriableTransaction - Transaction_100000011 depth=0 status=<not running> completed, attempts = 1
2017-02-22 13:19:05,937 INFO  [InitPing3 SVNRepo ] fisheye Svn2Scanner-doSlurpTransaction - Starting slurp of SVNRepo (SVNRepo)
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-checkRepoSettings - Checking repository:  SVNRepo:http://hostname/SVNRepo/
2017-02-22 13:19:05,937 DEBUG [SvnExecution1113 SVNRepo ] fisheye SvnTask$1-run - Executing (InitPing3 SVNRepo) svn info -r HEAD http://hostname/SVNRepo/@HEAD
2017-02-22 13:19:05,937 WARN  [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-getServerRootURL - Unable to get info for the repository root for SVNRepo
com.cenqua.fisheye.rep.RepositoryClientException: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
	at com.cenqua.fisheye.svn.SvnThrottledClient.executeNoThrottle(SvnThrottledClient.java:189) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient.execute(SvnThrottledClient.java:158) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient.info(SvnThrottledClient.java:110) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnRepositoryTester.getServerRootURL(SvnRepositoryTester.java:91) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnRepositoryTester.checkRepoSettings(SvnRepositoryTester.java:74) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnRepositoryTester.testConnection(SvnRepositoryTester.java:67) [fisheye.jar:?]
	at com.atlassian.fisheye.svn.Svn2Scanner.validateRepository(Svn2Scanner.java:133) [fisheye.jar:?]
	at com.atlassian.fisheye.svn.Svn2Scanner.doSlurpTransaction(Svn2Scanner.java:181) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:73) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:85) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:419) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.IndexingPingRequest.doRequest(IndexingPingRequest.java:28) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.IncrementalPingRequest.doRequest(IncrementalPingRequest.java:30) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.PingRequest$1.run(PingRequest.java:55) [fisheye.jar:?]
	at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:52) [fisheye.jar:?]
	at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:211) [fisheye.jar:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
Caused by: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
	at java.lang.Throwable.initCause(Throwable.java:457) [?:1.8.0_102]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1536) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info(SVNClientImpl.java:1734) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info2(SVNClientImpl.java:1710) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.apache.subversion.javahl.SVNClient.info2(SVNClient.java:307) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:116) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:111) [fisheye.jar:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_102]
	at com.cenqua.fisheye.svn.SvnTask.access$101(SvnTask.java:13) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnTask$1.run(SvnTask.java:35) [fisheye.jar:?]
	at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?]
	at com.cenqua.fisheye.svn.SvnTask.run(SvnTask.java:30) [fisheye.jar:?]
	... 3 more
Caused by: org.apache.subversion.javahl.ClientException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
	at org.apache.subversion.javahl.ClientException.fromException(ClientException.java:117) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1535) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
	... 13 more

If the repository server only offers NTLM authentication, then SVNKit cannot connect reliably.

原因

According to SVNKit documentation it should work with NTLM, but this doesn't seem to be working well.

FE-4164 - Getting issue details... STATUS  is the existing feature request to provide NTLM support for Fisheye.

ソリューション

Switch to Basic Authentication, by following these steps:

  1. Configure repository server to offer both Basic and NTLM authentication (Apache httpd only).
    Use Apache mod_auth_sspi module on the server side, and add the following option to the Subversion repository location:

    SSPIOfferBasic On
  2. Force Fisheye to prefer Basic Authentication
    Force Fisheye/SVNKit to prefer basic authentication by adding the following to the FISHEYE_OPTS environment variable:

    -Dsvnkit.http.methods=Basic,Digest,Negotiate,NTLM
  3. You will then likely have to create a new Subversion user that uses basic authentication, and configure that user in Fisheye.
最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.