Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-20936

onboarding admin user password change may attempt to change password of user in read only realm

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Parked
    • Affects Version/s: 3.18.1, 3.22.1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
    • Notability:
      3

      Description

      Configure realm order to be have a read-only realm ( LDAP or Crowd ) before the NexusAuthenticationRealm.

      Possible reproduce requirement: Have an admin userid in the external realm.

      When the admin user is prompted to change the admin user password, this operation fails.

      An error message in the UI stating ReferenceError: response is not defined

      The nexus.log reports:

      2019-08-21 09:52:09,502-0400 INFO  [qtp1590577993-156]  admin org.sonatype.nexus.rapture.internal.security.SessionServlet - Created session for user: admin
      2019-08-21 09:54:34,150-0400 WARN  [qtp1590577993-156]  admin org.sonatype.nexus.siesta.internal.UnexpectedExceptionMapper - (ID fed34c51-90e8-4720-b2b4-7bb9cfb3fd22) Unexpected exception: java.lang.UnsupportedOperationException
      java.lang.UnsupportedOperationException: null
      	at org.sonatype.nexus.security.user.AbstractReadOnlyUserManager.changePassword(AbstractReadOnlyUserManager.java:38)
      	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:534)
      	at org.sonatype.nexus.onboarding.internal.OnboardingResource.changeAdminPassword(OnboardingResource.java:92)
      	at org.sonatype.nexus.validation.internal.ValidationInterceptor.invoke(ValidationInterceptor.java:53)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
      	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
      	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:294)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:248)
      	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:235)
      	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
      	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
      	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
      	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
      	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
      	at org.sonatype.nexus.siesta.internal.resteasy.ComponentContainerImpl.service(ComponentContainerImpl.java:106)
      	at org.sonatype.nexus.siesta.SiestaServlet.service(SiestaServlet.java:137)
      
      

      Short term workaround

      To workaround the prompting:

      Edit $data-dir/etc/nexus.properties

      Add a line:

      nexus.onboarding.enabled=false
      

      Restart NXRM. On restart, you will not be prompted to change the admin password

      Expected

      NXRM should not trying to change an admin user in a read-only realm and erroring. Possibly inform the user that the password should be changed in the external realm using external realm tools.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Team:
              NXRM - Tron
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title