- Q. What version of nexus is required to extend security?
- Q. What security library does Nexus use?
- Q. How does Nexus Security Work?
- Q. How can I tell Nexus to use my own JSecurity Realm?
- Q. Can I use more than 1 Authenticating Realm?
- Q. How can I just override the Authenticating realm (and leave authorization to Nexus)?
- Q. I just want to replace Nexus security entirely, how can i do that?
- Q. These FAQ questions are handy, but I just want to see an example
Q. What version of nexus is required to extend security?
A. Nexus 1.1-M1 was the first publicly available dev release that supports extending the jsecurity realms. Nexus 1.1 is the baseline for security expansion.
Nexus 1.2 (1.2.0.3) improves upon this by adding support:
- Accessing an external users email address.
- External users can be mapped to Nexus roles directly from the UI.
- External roles can be mapped to a Nexus role.
Q. What security library does Nexus use?
A. We are using a plexus implementation of the JSecurity libraries.
Q. How does Nexus Security Work?
A. As we are using JSecurity as the base of our security framework, you can view documentation that they have made publicly available JSecurity Documentation
We are using a Plexus based implementation, which gives us more control over the realm integrations and from where they are loaded. Beyond that, we can use the same jsecurity realms that are available out of the box from JSecurity, in fact, any realm that implements the org.jsecurity.realm.Realm interface is supported.
Q. How can I tell Nexus to use my own JSecurity Realm?
A. You will need to update the list of realms defined in the nexus.xml file (default below)
<security>
<realms>
<realm>XmlAuthenticatingRealm</realm>
<realm>NexusMethodAuthorizingRealm</realm>
<realm>NexusTargetAuthorizingRealm</realm>
</realms>
</security>
As you can see, we have 3 default realms, the XmlAuthenticatingRealm handles authentication, the NexusMethodAuthorizingRealm and NexusTargetAuthorizingRealm handle authorizing all requests (and content of certain responses, i.e. search results, rss feeds, etc.). You have the ability to extend any Realm we use, or insert your own, and handle everything from your realm.
Note: We suggest you leave the XmlAuthenticatingRealm in place, in the event that your external realm encounters an error or is unavailable you would still be able to administer Nexus.
Q. Can I use more than 1 Authenticating Realm?
A. Partially...If you have multiple authenticating realms, we will iterate over them until one of them responds with valid authentication, we currently do not allow requiring authentication from more than 1 realm.
Q. How can I just override the Authenticating realm (and leave authorization to Nexus)?
A. In this case, you would replace the XmlAuthenticationRealm with your Realm class name (or plexus role-hint). You also need to add a class that implements PlexusUserLocator, which will expose your users to the NexusTargetAuthorizingRealm and NexusMethodAuthorizingRealm.
Also, should you no longer need to have the email capabilities (for password management), you will want to remove the following privileges from ALL roles in the system:
- User Forgot Password - (create,read)
- User Forgot User Id - (create,read)
- User Reset Password - (delete,read)
- User Change Password - (create,read)
Note: Or your plugin could hide the Forgot password links.
Q. I just want to replace Nexus security entirely, how can i do that?
A. In this case, you will want to replace ALL of the realms that nexus is using for authentication and authorization. Simply place your Realm (or realms) in the nexus.xml file, and all authentication and authorization requests will now be made to your realm. Below is a list of strings (that will be contained in WilcardPermission objects) that you will need to authorize (note that as Nexus grows, new permissions will be added):
- "nexus::" Administrator privilege (ALL)
- "nexus:status:read" Give permission to query the +nexus{+}server for it's status. This privilege is required by the anonymous user so that the UI can retrieve anonymous permissions on startup.
- "nexus:authentication:read" Give permission to allow a user to login to +nexus+.
- "nexus:settings:read" Give permission to read the +nexus+ server settings.
- "nexus:settings:update" Give permission to update the +nexus+ server settings.
- "nexus:repositories:create" Give permission to create new repositories.
- "nexus:repositories:read" Give permission to read existing repository configuration.
- "nexus:repositories:update" Give permission to update existing repository configuration.
- "nexus:repositories:delete" Give permission to delete an existing repository.
- "nexus:repotemplates:create" Give permission to create new repository templates. Note that this privilege is not currently invoked by the +Nexus+ UI.
- "nexus:repotemplates:read" Give permission to read existing repository template configuration. This privilege is required to add a new Repository in the UI, as the default values are retrieved from the template on the server.
- "nexus:repotemplates:update" Give permission to update existing repository template configuration. Note that this privilege is not currently invoked by the +Nexus+ UI.
- "nexus:repotemplates:delete" Give permission to delete existing repository templates. Note that this privilege is not currently invoked by the +Nexus+ UI.
- "nexus:repogroups:create" Give permission to create new repository groups.
- "nexus:repogroups:read" Give permission to read existing repository group configuration.
- "nexus:repogroups:update" Give permission to update existing repository group configuration.
- "nexus:repogroups:delete" Give permission to delete existing repository groups.
- "nexus:index:read" Give permission to perform searches of repository content.
- "nexus:index:delete" Give permission to +Reindex+ repository content. The extents of this privilege are related to the allowed targets.
- "nexus:identify:read" Give permission to perform checksum type searches of repository content. The extents of this privilege are related to the allowed targets.
- "nexus:attributes:delete" Give permission to rebuild the attributes of repository content. The extents of this privilege are related to the allowed targets.
- "nexus:cache:delete" Give permission to clear the content of a repositories not found cache. The extents of this privilege are related to the allowed targets.
- "nexus:routes:create" Give permission to create repository routes.
- "nexus:routes:read" Give permission to read existing repository route configuration.
- "nexus:routes:update" Give permission to update existing repository route configuration.
- "nexus:routes:delete" Give permission to delete existing repository routes.
- "nexus:tasks:create" Give permission to create existing scheduled task configuration.
- "nexus:tasks:read" Give permission to read existing scheduled task configuration.
- "nexus:tasks:update" Give permission to update existing scheduled task configuration.
- "nexus:tasks:delete" Give permission to delete existing scheduled tasks.
- "nexus:logs:read" Give permission to retrieve the +nexus+ log files.
- "nexus:configuration:read" Give permission to retrieve the +nexus+.+xml+ configuration file.
- "nexus:feeds:read" Give permission to view the different RSS feeds. The extents of this privilege are related to the allowed targets.
- "nexus:targets:create" Give permission to create repository targets.
- "nexus:targets:read" Give permission to read existing repository target configuration.
- "nexus:targets:update" Give permission to update existing repository target configuration.
- "nexus:targets:delete" Give permission to delete existing repository targets.
- "nexus:status:update" Give permission to update the status of the +nexus+ server. Note that this privilege is not currently invoked by the +Nexus+ UI.
- "nexus:wastebasket:read" Give permission to read the contents of the +nexus+ trash. Note that this privilege is not currently invoked by the +Nexus+ UI.
- "nexus:wastebasket:delete" Give permission to delete the contents of the +nexus+ trash.
- "nexus:artifact:read" Give permission to +download+ artifacts (using /artifact service, not the /content +url+). The extents of this privilege are related to the allowed targets.. Note that this privilege is not currently invoked by the +Nexus+ UI.
- "nexus:repostatus:read" Give permission to retrieve the status of a repository.
- "nexus:repocontentclasses:read" Give permission to retrieve the list of repository content classes supported by +nexus+.
- "nexus:artifact:create" Give permission to upload artifacts (using /artifact service, not the /content service). The extents of this privilege are related to the allowed targets.
- "nexus:command:update" Give permission to remotely control nexus server (start, stop, etc.). Note that this privilege is not currently invoked by the Nexus UI.
- "nexus:repometa:read" Give permission to read the repository metadata. Note that this privilege is not currently invoked by the Nexus UI.
- "nexus:tasksrun:read" Give permission to run existing scheduled tasks manually.
- "nexus:tasktypes:read" Give permission to retrieve list of support task types available in nexus.
Along with these static privileges, there are also dynamic privileges that use repository targets to give access to repository contents. The permission string that needs to be authorized, will be built as follows
"nexus:target:repoTargetId:repoId:method"
Where repoTargetId is the id of the Repository Target as configured in nexus, repoId is the repository attached to the target (can be "" for all repos) and method will be the read/create/update/delete string (can also be "" for any method).
Q. These FAQ questions are handy, but I just want to see an example
A. Ok, ok, enough talk, here are the goods: Simple Memory Realm
You can checkout the maven project from the subversion repository linked above, build it, and start playing around. The example has three realms:
- SimpleRealm, Add the Simple Realm to your nexus.xml. This realm allows users to be mapped to Nexus roles. See explanation. {code} <security> <realms> <realm>Simple</realm> <realm>XmlAuthenticatingRealm</realm> <realm>NexusMethodAuthorizingRealm</realm> <realm>NexusTargetAuthorizingRealm</realm> </realms> </security> {code}
- MemoryRealm, you will want to have ONLY that realm defined in your nexus.xml file. (older example)
- MemoryAuthenticationOnlyRealm, you will want to just replace the XmlAuthenticatingRealm with this realm. (older example)
If you have questions you can join our mailing lists take a look a the archive: Nexus Developers
Enjoy!!