Details
Description
While running through security, I noticed that if you have just Roles permission, you get a warning that you cannot read privilges. While this is true, it is not necessary to create a role.
Similarly, I think the placement of the warning is confusing. You get the warning before you enter the place where the fact you cannot read potentially matters (drilling down into/creating the role).
Note, that the users page has a similar issue when it comes to listing roles however that page CANNOT be used without, so there is no ticket for that.
The combination of the ability for it to be used and confusing warning are causing me to file.
See attached screen, let me know if unclear.
I had debug off during this test. No errors appeared in the js console. Below appeared in the nexus.log.
I did not check older NX3 or NX2 at this time.
2015-09-17 11:58:47,887-0400 ERROR [pool-6-thread-10] joedragons org.sonatype.nexus.extdirect.internal.ExtDirectServlet - Failed to invoke action method: coreui_Privilege.read, java-method: org.sonatype.nexus.coreui.PrivilegeComponent.read
org.apache.shiro.authz.AuthorizationException: User is not permitted: nexus:privileges:read
at org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.checkPermission(ExceptionCatchingModularRealmAuthorizer.java:66) [na:na]
at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137) [na:na]
at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205) [org.apache.shiro.core:1.2.4]
at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74) [na:na]
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(AuthorizingAnnotationMethodInterceptor.java:84) [na:na]
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:67) [na:na]
at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36) [na:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.8.0_40]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [na:1.8.0_40]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.8.0_40]
at java.lang.reflect.Method.invoke(Method.java:497) [na:1.8.0_40]
at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeJavaMethod(DispatcherBase.java:142) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeMethod(DispatcherBase.java:133) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at org.sonatype.nexus.extdirect.internal.ExtDirectServlet$3.invokeMethod(ExtDirectServlet.java:201) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.dispatch(DispatcherBase.java:63) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.processor.standard.StandardRequestProcessorBase.dispatchStandardMethod(StandardRequestProcessorBase.java:73) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.processor.standard.json.JsonRequestProcessor.processIndividualRequest(JsonRequestProcessor.java:502) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.processor.standard.json.DefaultJsonRequestProcessorThread.processRequest(DefaultJsonRequestProcessorThread.java:72) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.servlet.ssm.SsmJsonRequestProcessorThread.processRequest(SsmJsonRequestProcessorThread.java:43) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at org.sonatype.nexus.extdirect.internal.ExtDirectJsonRequestProcessorThread.access$1(ExtDirectJsonRequestProcessorThread.java:1) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at org.sonatype.nexus.extdirect.internal.ExtDirectJsonRequestProcessorThread$1.call(ExtDirectJsonRequestProcessorThread.java:59) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at org.sonatype.nexus.extdirect.internal.ExtDirectJsonRequestProcessorThread$1.call(ExtDirectJsonRequestProcessorThread.java:1) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) [com.google.inject:4.0.0]
at com.google.inject.servlet.ServletScopes$3.call(ServletScopes.java:232) [com.google.inject:4.0.0]
at org.sonatype.nexus.extdirect.internal.ExtDirectJsonRequestProcessorThread.processRequest(ExtDirectJsonRequestProcessorThread.java:73) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.processor.standard.json.DefaultJsonRequestProcessorThread.call(DefaultJsonRequestProcessorThread.java:56) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at com.softwarementors.extjs.djn.router.processor.standard.json.DefaultJsonRequestProcessorThread.call(DefaultJsonRequestProcessorThread.java:30) [org.sonatype.nexus.plugins.nexus-extdirect-plugin:3.0.0.SNAPSHOT]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_40]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_40]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_40]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_40]
Caused by: org.apache.shiro.authz.AuthorizationException: Not authorized to invoke method: public java.util.List org.sonatype.nexus.coreui.PrivilegeComponent.read()
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(AuthorizingAnnotationMethodInterceptor.java:90) [na:na]
... 26 common frames omitted
Attachments
Issue Links
- discovered while testing
-
NEXUS-9121 Update security entity bits to use use common entity support bits
-
- Closed
-