4 files changed, 21 insertions, 16 deletions
diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java
index f092bfed..49787631 100644
--- a/src/main/java/com/gitblit/manager/AuthenticationManager.java
+++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java
@@ -204,7 +204,7 @@ public class AuthenticationManager implements IAuthenticationManager {
 		// Check if this request has already been authenticated, and trust that instead of re-processing
 		String reqAuthUser = (String) httpRequest.getAttribute(Constants.ATTRIB_AUTHUSER);
 		if (!StringUtils.isEmpty(reqAuthUser)) {
-			logger.warn("Called servlet authenticate when request is already authenticated.");
+			logger.debug("Called servlet authenticate when request is already authenticated.");
 			return userManager.getUserModel(reqAuthUser);
 		}
 
@@ -466,6 +466,12 @@ public class AuthenticationManager implements IAuthenticationManager {
 			return null;
 		}
 
+		if (username.equalsIgnoreCase(Constants.FEDERATION_USER)) {
+			// can not authenticate internal FEDERATION_USER at this point
+			// it must be routed to FederationManager
+			return null;
+		}
+		
 		String usernameDecoded = StringUtils.decodeUsername(username);
 		String pw = new String(password);
 		if (StringUtils.isEmpty(pw)) {
diff --git a/src/main/java/com/gitblit/servlet/RpcFilter.java b/src/main/java/com/gitblit/servlet/RpcFilter.java
index 34474d55..355bcb96 100644
--- a/src/main/java/com/gitblit/servlet/RpcFilter.java
+++ b/src/main/java/com/gitblit/servlet/RpcFilter.java
@@ -128,7 +128,7 @@ public class RpcFilter extends AuthenticationFilter {
 				return;
 			} else {
 				// check user access for request
-				if (user.canAdmin() || canAccess(user, requestType)) {
+				if (user.canAdmin() || !adminRequest) {
 					// authenticated request permitted.
 					// pass processing to the restricted servlet.
 					newSession(authenticatedRequest, httpResponse);
@@ -153,15 +153,4 @@ public class RpcFilter extends AuthenticationFilter {
 		// pass processing to the restricted servlet.
 		chain.doFilter(authenticatedRequest, httpResponse);
 	}
-
-	private boolean canAccess(UserModel user, RpcRequest requestType) {
-		switch (requestType) {
-		case GET_PROTOCOL:
-			return true;
-		case LIST_REPOSITORIES:
-			return true;
-		default:
-			return user.canAdmin();
-		}
-	}
-}
-\ No newline at end of file
+}
diff --git a/src/site/setup_proxy.mkd b/src/site/setup_proxy.mkd
index 4ae89875..4cf263dd 100644
--- a/src/site/setup_proxy.mkd
+++ b/src/site/setup_proxy.mkd
@@ -46,7 +46,7 @@ ProxyPreserveHost On
 #ProxyPassreverse /gitblit http://localhost:8080/gitblit
 
 # If your httpd frontend is https but you are proxying http Gitblit WAR or GO
-#Header edit Location &#94;http://([&#94;&#8260;]+)/gitblit/ https://&#36;1/gitblit/
+#Header edit Location ^http://([^/]+)/gitblit/ https://$1/gitblit/
 
 # Additionally you will want to tell Gitblit the original scheme and port
 #RequestHeader set X-Forwarded-Proto https
diff --git a/src/site/setup_transport_http.mkd b/src/site/setup_transport_http.mkd
index fd611d43..4de75963 100644
--- a/src/site/setup_transport_http.mkd
+++ b/src/site/setup_transport_http.mkd
@@ -5,7 +5,7 @@
 You must tell Git/JGit not to verify the self-signed certificate in order to perform any remote Git operations.
 
 **NOTE:**  
-The default self-signed certificate generated by Gitlbit GO is bound to *localhost*.  
+The default self-signed certificate generated by Gitblit GO is bound to *localhost*.  
 If you are using Eclipse/EGit/JGit clients, you will have to generate your own certificate that specifies the exact hostname used in your clone/push url.  
 You must do this because Eclipse/EGit/JGit (< 3.0) always verifies certificate hostnames, regardless of the *http.sslVerify=false* client-side setting. 
  
@@ -17,6 +17,16 @@ Value = <em>false</em></pre>
 - **Command-line Git** ([Git-Config Manual Page](http://www.kernel.org/pub/software/scm/git/docs/git-config.html))  
 <pre>git config --global --bool --add http.sslVerify false</pre>
 
+**NOTE:**
+When generating self-signed certificates, the default Java TLS settings will be used. These default settings will generate a weak Diffie-Hellman key.
+#### Java 8
+The default is a 1024 bit DH key.
+You can up the number of bits used by appending the following command line parameter when starting Gitblit:
+<pre>-Djdk.tls.ephemeralDHKeySize=2048</pre>
+2048 bits is the maximum (Java limitation), and is still considered secure as of this writing.
+#### Java 7
+The default is a 768 bit key. <b>This is hardcoded in Java 7 and cannot be changed.</b>. It is very weak. If you require longer DH keys, use Java 8.
+
 ### Http Post Buffer Size
 You may find the default post buffer of your git client is too small to push large deltas to Gitblit.  Sometimes this can be observed on your client as *hanging* during a push.  Other times it can be observed by git erroring out with a message like: error: RPC failed; result=52, HTTP code = 0.