Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18712

jetty-http-redirect-to-https.xml overrides the default Jetty security filter allowing TRACE requests

    Details

    • Story Points:
      2

      Description

      By default Nexus does not allow HTTP TRACE requests.

      $ curl -X TRACE -v http://localhost:8081/
      *   Trying ::1...
      * TCP_NODELAY set
      * Connection failed
      * connect to ::1 port 8081 failed: Connection refused
      *   Trying 127.0.0.1...
      * TCP_NODELAY set
      * Connected to localhost (127.0.0.1) port 8081 (#0)
      > TRACE / HTTP/1.1
      > Host: localhost:8081
      > User-Agent: curl/7.54.0
      > Accept: */*
      > 
      < HTTP/1.1 403 Forbidden
      
      
      

      However, if you add the "jetty-http-redirect-to-https.xml" file to the nexus-args in nexus.properties TRACE requests will succeed. I think this is because that configuration file is setting a new securityHandler without calling the existing one.

        Attachments

          Activity

            People

            Assignee:
            mbucher Michael Bucher
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Peter Lynch Peter Lynch
            Team:
            NXRM - Morpheus
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title