Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8036

User Token Protect Content feature should return 401 with message

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.11.1
    • Fix Version/s: 2.11.4
    • Component/s: User Token
    • Labels:
    • Story Points:
      0.5
    • Sprint:
      Sprint 47

      Description

      Enable User Token and the Protect Content feature.

      When a request is made to a /content path with valid credentials that are not Nexus user token credentials, Nexus responds with 401, but no entity explaining why.

      Problems:

      • the end user is confused, because they know they have entered technically valid organization credentials.
      • the Nexus admin is confused because they either have forgotten about or were not the ones who setup the Protect Content feature, or just assume protecting content is a good idea, so leave the box enabled.
      • the Protect Content feature is valuable, but it is a rather odd special case that affects all realms in Nexus because of the special Token it creates internally, so an administrator is not reminded it may be in play because it is not near where all the other realms are configured
      • a Nexus admin must enable DEBUG and TRACE logs to see why there was a 401, assuming they can even understand what loggers to enable and what to look for
      2015-01-27 09:20:46,735+1100 DEBUG [qtp1087360683-4837 - /nexus/content/repositories/releases-p2/content.jar] *UNKNOWN org.apache.shiro.realm.AuthenticatingRealm - AuthenticationInfo caching is disabled for info [exampleuser].  Submitted token: [ContentRestrictedToken{principal=exampleuser, host='192.168.47.138'}].
      2015-01-27 09:20:46,743+1100 TRACE [qtp1087360683-4837 - /nexus/content/repositories/releases-p2/content.jar] *UNKNOWN org.sonatype.security.authentication.FirstSuccessfulModularRealmAuthenticator - Realm [com.sonatype.nexus.usertoken.plugin.realm.UserTokenRealm@63a24ea4] threw an exception during a multi-realm authentication attempt:
      org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [ContentRestrictedToken{principal=exampleuser, host='192.168.47.138'}] did not match the expected credentials.
      2015-01-27 09:20:46,744+1100 TRACE [qtp1087360683-4837 - /nexus/content/repositories/releases-p2/content.jar] *UNKNOWN org.sonatype.security.authentication.FirstSuccessfulModularRealmAuthenticator - Realm of type [org.sonatype.security.realms.XmlAuthenticatingRealm@1bd03b75] does not support token [ContentRestrictedToken{principal=exampleuser, host='192.168.47.138'}].  Skipping realm.
      2015-01-27 09:20:46,744+1100 TRACE [qtp1087360683-4837 - /nexus/content/repositories/releases-p2/content.jar] *UNKNOWN org.sonatype.security.authentication.FirstSuccessfulModularRealmAuthenticator - Realm of type [org.sonatype.security.realms.XmlAuthorizingRealm@3ef8c97] does not support token [ContentRestrictedToken{principal=exampleuser, host='192.168.47.138'}].  Skipping realm.
      2015-01-27 09:20:46,744+1100 TRACE [qtp1087360683-4837 - /nexus/content/repositories/releases-p2/content.jar] *UNKNOWN org.sonatype.security.authentication.FirstSuccessfulModularRealmAuthenticator - Realm of type [com.sonatype.nexus.crowd.internal.CrowdRealm@63f70f85] does not support token [ContentRestrictedToken{principal=exampleuser, host='192.168.47.138'}].  Skipping realm.
      

      Improvement: Simple continue to respond with 401, but include a simple message body explaining the reasoning - that user token credentials are being enforced in Nexus. In this way a simple test using curl that gets 401 response will help the admin, end user or Sonatype Support in quickly identifying the problem.

        Attachments

          Activity

            People

            Assignee:
            bradbeck Brad Beck
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title