Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-8821

add useful logging for siesta/wonderland/authenticate resource username mismatch

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.11.3
    • Fix Version/s: 2.11.4
    • Component/s: Security
    • Labels:
    • Story Points:
      0.5
    • Sprint:
      Sprint 47

      Description

      When a request as follows, end user gets a 400 status response and message "Username mismatch":

      curl -v -4 -H "Accept: application/json" -H "Content-Type: application/json" --data '{"u":"YWRtaW4=","p":"YWRtaW4xMjM="}' http://localhost:8081/nexus/service/siesta/wonderland/authenticate
      

      The problem is the user was authenticated as anonymous user because credentials were only in the payload and not in Basic Auth headers. Since anonymous username != payload username, we return 400.

      Problem is this is hard to diagnose without debug logging and a better understanding of what username mismatches.

      For example, end user may also send basic auth header username which can authenticate, but the encoded payload values are encoded incorrectly - same problem, user is left wondering where the problem lies.

      This can be improved with a simple logging adjustment.

      Expected:

      • log at WARN the authenticated username and payload username if they do not match
      • log at DEBUG the decoded usernames before the match attempt

      Reference: https://sonatype.zendesk.com/entries/39800446

        Attachments

          Activity

            People

            Assignee:
            msurani Mahendra Surani
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title