Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-5830

/service/local/status resource creates http sessions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.6.1, 2.11.1
    • Fix Version/s: 3.0.0-m3, 2.11.2
    • Component/s: Security, Transport
    • Labels:
      None
    • Story Points:
      1
    • Sprint:
      Sprint 34, Sprint 35

      Description

      Starting in Nexus 2.1, authenticated requests to /service/local/status are creating http sessions, even despite a user agent that should not create sessions:

      Nexus 2.1
      > for i in {1..2}; do curl -u admin:admin123 http://localhost:2100/nexus/service/local/status -I -H "User-Agent: curl/"; done
      HTTP/1.1 200 OK
      Date: Fri, 16 Aug 2013 14:32:23 GMT
      Set-Cookie: JSESSIONID=64b626d9-5cd4-490b-bdfc-d22221b19191; Path=/nexus; HttpOnly
      Set-Cookie: rememberMe=deleteMe; Path=/nexus; Max-Age=0; Expires=Thu, 15-Aug-2013 14:32:23 GMT
      Content-Type: application/xml; charset=UTF-8
      Date: Fri, 16 Aug 2013 14:32:23 GMT
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Server: Noelios-Restlet-Engine/1.1.6-SONATYPE-5348-V4
      Content-Length: 10983
      
      HTTP/1.1 200 OK
      Date: Fri, 16 Aug 2013 14:32:24 GMT
      Set-Cookie: JSESSIONID=bb59fe42-0019-4583-b1ba-ea81f0948fd7; Path=/nexus; HttpOnly
      Set-Cookie: rememberMe=deleteMe; Path=/nexus; Max-Age=0; Expires=Thu, 15-Aug-2013 14:32:24 GMT
      Content-Type: application/xml; charset=UTF-8
      Date: Fri, 16 Aug 2013 14:32:24 GMT
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Server: Noelios-Restlet-Engine/1.1.6-SONATYPE-5348-V4
      Content-Length: 10983
      
      Nexus 2.0.6
      > for i in {1..2}; do curl -u admin:admin123 http://localhost:8082/service/local/status -I -H "User-Agent: curl/"; done
      HTTP/1.1 200 OK
      Date: Fri, 16 Aug 2013 14:37:59 GMT
      Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 15-Aug-2013 14:37:59 GMT
      Content-Type: application/xml; charset=UTF-8
      Date: Fri, 16 Aug 2013 14:37:59 GMT
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Server: Noelios-Restlet-Engine/1.1.6-SONATYPE-5348-V4
      Content-Length: 9882
      
      HTTP/1.1 200 OK
      Date: Fri, 16 Aug 2013 14:37:59 GMT
      Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Thu, 15-Aug-2013 14:37:59 GMT
      Content-Type: application/xml; charset=UTF-8
      Date: Fri, 16 Aug 2013 14:37:59 GMT
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Server: Noelios-Restlet-Engine/1.1.6-SONATYPE-5348-V4
      Content-Length: 9882
      
      

      There is a cookie IT that apparently does not check for this specific condition because it has been passing:

      testsuite/legacy-testsuite/src/test/java/org/sonatype/nexus/testsuite/security/nexus4257/Nexus4257CookieVerificationIT.java

      Also I can no longer find anywhere in code where specific user agents strings are checked in order to decide if a session should be created.

      NexusApplication.java adds some "noSessionCreation" filter bits, but it is not entirely obvious how all this works.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jtom Joe Tom
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title