403 Forbidden error when using SVNKit and NTLM for authentication in Subversion
Problem
When a domain / NTLM user (DOMAIN\username
) is specified for authentication with Subversion, if using the bundled SVNKit library, the following error gets written in atlassian-fisheye.log
:
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye RepositoryStatus-setMessage - Status change [SVNRepo]: Contacting repository.
2017-02-22 13:19:05,937 INFO [InitPing3 SVNRepo ] fisheye BaseRepositoryScanner-ping - processing repository SVNRepo (SVNRepo)
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye PartitionedChangeSetPhaseQueues-withRetriableTransaction - Transaction_100000011 depth=0 status=<not running> completed, attempts = 1
2017-02-22 13:19:05,937 INFO [InitPing3 SVNRepo ] fisheye Svn2Scanner-doSlurpTransaction - Starting slurp of SVNRepo (SVNRepo)
2017-02-22 13:19:05,937 DEBUG [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-checkRepoSettings - Checking repository: SVNRepo:http://hostname/SVNRepo/
2017-02-22 13:19:05,937 DEBUG [SvnExecution1113 SVNRepo ] fisheye SvnTask$1-run - Executing (InitPing3 SVNRepo) svn info -r HEAD http://hostname/SVNRepo/@HEAD
2017-02-22 13:19:05,937 WARN [InitPing3 SVNRepo ] fisheye SvnRepositoryTester-getServerRootURL - Unable to get info for the repository root for SVNRepo
com.cenqua.fisheye.rep.RepositoryClientException: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
at com.cenqua.fisheye.svn.SvnThrottledClient.executeNoThrottle(SvnThrottledClient.java:189) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnThrottledClient.execute(SvnThrottledClient.java:158) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnThrottledClient.info(SvnThrottledClient.java:110) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnRepositoryTester.getServerRootURL(SvnRepositoryTester.java:91) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnRepositoryTester.checkRepoSettings(SvnRepositoryTester.java:74) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnRepositoryTester.testConnection(SvnRepositoryTester.java:67) [fisheye.jar:?]
at com.atlassian.fisheye.svn.Svn2Scanner.validateRepository(Svn2Scanner.java:133) [fisheye.jar:?]
at com.atlassian.fisheye.svn.Svn2Scanner.doSlurpTransaction(Svn2Scanner.java:181) [fisheye.jar:?]
at com.cenqua.fisheye.rep.BaseRepositoryScanner.ping(BaseRepositoryScanner.java:73) [fisheye.jar:?]
at com.cenqua.fisheye.rep.BaseRepositoryEngine.doSlurp(BaseRepositoryEngine.java:85) [fisheye.jar:?]
at com.cenqua.fisheye.rep.RepositoryEngine.slurp(RepositoryEngine.java:419) [fisheye.jar:?]
at com.cenqua.fisheye.rep.ping.IndexingPingRequest.doRequest(IndexingPingRequest.java:28) [fisheye.jar:?]
at com.cenqua.fisheye.rep.ping.IncrementalPingRequest.doRequest(IncrementalPingRequest.java:30) [fisheye.jar:?]
at com.cenqua.fisheye.rep.ping.PingRequest$1.run(PingRequest.java:55) [fisheye.jar:?]
at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?]
at com.cenqua.fisheye.rep.ping.PingRequest.process(PingRequest.java:52) [fisheye.jar:?]
at com.cenqua.fisheye.rep.RepositoryHandle.processPingRequests(RepositoryHandle.java:211) [fisheye.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_102]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_102]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_102]
Caused by: java.lang.IllegalStateException: Can't overwrite cause with org.tmatesoft.svn.core.SVNAuthenticationException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
at java.lang.Throwable.initCause(Throwable.java:457) [?:1.8.0_102]
at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1536) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info(SVNClientImpl.java:1734) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
at org.tmatesoft.svn.core.javahl17.SVNClientImpl.info2(SVNClientImpl.java:1710) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
at org.apache.subversion.javahl.SVNClient.info2(SVNClient.java:307) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:116) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnThrottledClient$1.call(SvnThrottledClient.java:111) [fisheye.jar:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_102]
at com.cenqua.fisheye.svn.SvnTask.access$101(SvnTask.java:13) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnTask$1.run(SvnTask.java:35) [fisheye.jar:?]
at com.cenqua.fisheye.util.NamedExecution.run(NamedExecution.java:27) [fisheye.jar:?]
at com.cenqua.fisheye.svn.SvnTask.run(SvnTask.java:30) [fisheye.jar:?]
... 3 more
Caused by: org.apache.subversion.javahl.ClientException: svn: E170001: PROPFIND of '/SVNRepo/!svn/bc/5639': 403 Forbidden (http://hostname)
at org.apache.subversion.javahl.ClientException.fromException(ClientException.java:117) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
at org.tmatesoft.svn.core.javahl17.SVNClientImpl.getClientException(SVNClientImpl.java:1535) [svnkit-javahl16-1.9.0-r10609-atlassian-hosted.jar:?]
... 13 more
If the repository server only offers NTLM authentication, then SVNKit cannot connect reliably.
Cause
According to SVNKit documentation it should work with NTLM, but configuration is needed as mentioned in the JAAS documentation eg. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html.
FE-4879 - Getting issue details... STATUS is the existing feature request to provide NTLM support for Fisheye.
Resolutions
Preferred - Enable JAAS in Fisheye
Steps to do this can be found here:
Switch to Basic Authentication, by following these steps:
Configure repository server to offer both Basic and NTLM authentication (Apache httpd only).
Use Apachemod_auth_sspi
module on the server side, and add the following option to the Subversion repository location:SSPIOfferBasic On
Force Fisheye to prefer Basic Authentication
Force Fisheye/SVNKit to prefer basic authentication by adding the following to theFISHEYE_OPTS
environment variable:-Dsvnkit.http.methods=Basic,Digest,Negotiate,NTLM
- You will then likely have to create a new Subversion user that uses basic authentication, and configure that user in Fisheye.