Q. What version of nexus is required to extend security?

A. Nexus 1.1-M1 was the first publicly available dev release that supports extending the jsecurity realms. Nexus 1.1 is the baseline for security expansion.

Nexus 1.2 (1.2.0.3) improves upon this by adding support:

  • Accessing an external users email address.
  • External users can be mapped to Nexus roles directly from the UI.
  • External roles can be mapped to a Nexus role.

Q. What security library does Nexus use?

A. We are using a plexus implementation of the JSecuritylibraries. JSecurity has been moved to Apache Shiro, we are planning on moving to that in the future (which means anything that extends org.jsecurity will need to be refactored to org.apache)

Q. How does Nexus Security Work?

A. As we are using JSecurity as the base of our security framework, you can view documentation that they have made publicly available JSecurity Documentation

We are using a Plexus based implementation, which gives us more control over the realm integrations and from where they are loaded. Beyond that, we can use the same jsecurity realms that are available out of the box from JSecurity, in fact, any realm that implements the org.jsecurity.realm.Realm interface is supported.

Q. How can I tell Nexus to use my own JSecurity Realm?

A. You will need to update the list of realms defined in the security-configuration.xml file (default below)

<?xml version="1.0"?>
<security-configuration>
  <version>2.0.3</version>
  <enabled>true</enabled>
  <anonymousAccessEnabled>true</anonymousAccessEnabled>
  <anonymousUsername>anonymous</anonymousUsername>
  <anonymousPassword>{n82LaatUK/QHQGehaowoiRTBlQRTcc1ZY24vBb+5bLo=}</anonymousPassword>
  <realms>
    <realm>XmlAuthenticatingRealm</realm>
    <realm>XmlAuthorizingRealm</realm>
  </realms>
</security-configuration>

As you can see, we have two default realms, the XmlAuthenticatingRealm handles authentication, the XMLAuthorizingRealm handles authorizing all requests (and content of certain responses, i.e. search results, rss feeds, etc.). You have the ability to extend any Realm we use, or insert your own, and handle everything from your realm.

Note: We suggest you leave the default realms in place, in the event that your external realm encounters an error or is unavailable you would still be able to administer Nexus.

Q. Can I use more than 1 Authenticating Realm?

A. Partially…If you have multiple authenticating realms, we will iterate over them until one of them responds with valid authentication, we currently do not allow requiring authentication from more than one realm.

Q. How can I just override the Authenticating realm (and leave authorization to Nexus)?

A. In this case, you would replace the XmlAuthenticationRealm with your Realm class name (or plexus role-hint). You also need to add a class that implements UserManager, which will expose your users to the XMLAuthorizingRealm.

Also, should you no longer need to have the email capabilities (for password management), you will want to remove the following privileges from ALL roles in the system:

  • User Forgot Password - (create,read)
  • User Forgot User Id - (create,read)
  • User Reset Password - (delete,read)
  • User Change Password - (create,read)

Note: Or your plugin could hide the Forgot password links.

Q. These FAQ questions are handy, but I just want to see an example

A. Ok, ok, enough talk, here are the goods: Simple Memory Realm

You can checkout the maven project from the subversion repository linked above, build it, and start playing around. The example has three realms:

  • SimpleRealm, Add the Simple Realm to your nexus.xml. This realm allows users to be mapped to Nexus roles. See explanation.
  <realms>
    <realm>Simple</realm>
    <realm>XmlAuthenticatingRealm</realm>
    <realm>XmlAuthorizingRealm</realm>
  </realms>
  • MemoryRealm, you will want to have ONLY that realm defined in your nexus.xml file. (older example)
  • MemoryAuthenticationOnlyRealm, you will want to just replace the XmlAuthenticatingRealm with this realm. (older example)

If you have questions you can join our mailing lists take a look a the archive: Nexus Developers

Enjoy!!