Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-20926

anonymous user realm may be set to an invalid realm which will break the anonymous user

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.19.0
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
    • Environment:
      Chrome MacOSX
    • Notability:
      3

      Description

      The anonymous user has a dropdown for the Realm which shows all realms. But not all realms have users assigned to them (e.g. docker bearer token realm). The "unusable" realms should not be shown and selectable to avoid confusion and prevent breakage of the anonymous user.

      Expected

      • Do not allow selecting invalid realms for the anonymous user in the anonymous user configuration. Enforce at REST API and UI levels.
        Valid realms would only be the Local Authorizing Realm (default), LDAP Realm, Crowd Realm. Unsure about SAML realm.
      • Invalid realms would include any realm associated with a token or without a standalone user directory ( Docker Bearer Token Realm, Nuget API-key Realm, Conan Bearer Token Realm, npm Bearer Token Realm, User Token Realm,┬áDefault Role Realm )
      • TODO - consider how to warn an admin that they have an invalid realm selected on upgrade, and that they must select a valid realm to correct this

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jtom Joe Tom
              Last Updated By:
              Joe Tom Joe Tom
              Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Date of First Response:

                  tigCommentSecurity.panel-title