Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-6269

UI: Capabilities Admin gets 403 response trying to read Capability Types

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.1
    • Fix Version/s: 2.8
    • Component/s: Capabilities, Security
    • Labels:
      None
    • Sprint:
      Sprint 11

      Description

      A user with UI: Capabilities Admin and UI: Base UI Privileges cannot get the Capabilities Types ( returns 403) even though the roles do give the user Capability Types: Read access.

      > curl -u cap:admin123 http://localhost:8081/nexus/service/siesta/capabilities/types
      {"id":"fdd3b733-9d27-4ab9-8c4a-3ae7b18f7944","message":"User is not permitted: nexus:capabilityTypesread"}
      
      jvm 1    | 2014-02-10 11:07:12 DEBUG [qtp253747277-78] cap org.sonatype.nexus.plugins.siesta.AuthorizationExceptionMapper - (ID fdd3b733-9d27-4ab9-8c4a-3ae7b18f7944) Mapping exception: org.apache.shiro.authz.AuthorizationException: User is not permitted: nexus:capabilityTypesread
      jvm 1    | 2014-02-10 11:07:12 WARN  [qtp253747277-78] cap org.sonatype.nexus.plugins.siesta.AuthorizationExceptionMapper - (ID fdd3b733-9d27-4ab9-8c4a-3ae7b18f7944) Response: [403] ErrorXO{id='fdd3b733-9d27-4ab9-8c4a-3ae7b18f7944', message='User is not permitted: nexus:capabilityTypesread'} mapped from org.apache.shiro.authz.AuthorizationException/User is not permitted: nexus:capabilityTypesread
      jvm 1    | org.apache.shiro.authz.AuthorizationException: User is not permitted: nexus:capabilityTypesread
      jvm 1    | 	at org.sonatype.security.authorization.ExceptionCatchingModularRealmAuthorizer.checkPermission(ExceptionCatchingModularRealmAuthorizer.java:66) ~[nexus-security-2.7.1-01.jar:2.7.1-01]
      jvm 1    | 	at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137) ~[shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205) [shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74) ~[shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(AuthorizingAnnotationMethodInterceptor.java:84) ~[shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:67) ~[shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36) ~[shiro-guice-1.2.2.jar:1.2.2]
      jvm 1    | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_51]
      jvm 1    | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_51]
      jvm 1    | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_51]
      jvm 1    | 	at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_51]
      jvm 1    | 	at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$TypeOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:185) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) ~[jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511) [jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442) [jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391) [jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381) [jersey-server-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416) [jersey-servlet-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538) [jersey-servlet-1.17.1.jar:1.17.1]
      jvm 1    | 	at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716) [jersey-servlet-1.17.1.jar:1.17.1]
      jvm 1    | 	at org.sonatype.sisu.siesta.server.internal.SiestaServlet.service(SiestaServlet.java:121) [siesta-server-1.5.2.jar:1.5.2]
      jvm 1    | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:848) [javax.servlet-3.0.0.v201112011016.jar:na]
      jvm 1    | 	at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:278) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:268) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:180) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at org.sonatype.nexus.web.MdcUserContextFilter.doFilter(MdcUserContextFilter.java:57) [nexus-web-utils-2.7.1-01.jar:2.7.1-01]
      jvm 1    | 	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90) [shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83) [shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383) [shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125) [shiro-web-1.2.2.jar:1.2.2]
      jvm 1    | 	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at org.sonatype.nexus.web.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:83) [nexus-web-utils-2.7.1-01.jar:2.7.1-01]
      jvm 1    | 	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at org.sonatype.nexus.web.NexusGuiceFilter$MultiFilterChain.doFilter(NexusGuiceFilter.java:83) [nexus-web-utils-2.7.1-01.jar:2.7.1-01]
      jvm 1    | 	at org.sonatype.nexus.web.NexusGuiceFilter$MultiFilterPipeline.dispatch(NexusGuiceFilter.java:57) [nexus-web-utils-2.7.1-01.jar:2.7.1-01]
      jvm 1    | 	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:132) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:129) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:206) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:129) [guice-servlet-3.1.4.jar:3.1.4]
      jvm 1    | 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1419) [jetty-servlet-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:455) [jetty-servlet-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557) [jetty-security-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1075) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:384) [jetty-servlet-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1009) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at com.yammer.metrics.jetty.InstrumentedHandler.handle(InstrumentedHandler.java:200) [metrics-jetty-2.2.0.jar:na]
      jvm 1    | 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.Server.handle(Server.java:370) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644) [jetty-http-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) [jetty-http-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) [jetty-server-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668) [jetty-io-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) [jetty-io-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) [jetty-util-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) [jetty-util-8.1.11.v20130520.jar:8.1.11.v20130520]
      jvm 1    | 	at java.lang.Thread.run(Thread.java:744) [na:1.7.0_51]
      jvm 1    | Caused by: org.apache.shiro.authz.AuthorizationException: Not authorized to invoke method: public java.util.List org.sonatype.nexus.plugins.capabilities.internal.rest.CapabilityTypesResource.get(java.lang.Boolean)
      jvm 1    | 	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(AuthorizingAnnotationMethodInterceptor.java:90) ~[shiro-core-1.2.2.jar:1.2.2]
      jvm 1    | 	... 82 common frames omitted
      
      

        Attachments

          Activity

            People

            Assignee:
            plynch Peter Lynch
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title