Skip to content
/ nexus-token-manager Public

This is an application which when run in conjunction with Sonatype's Nexus artifact server can add token based authentication capabilities. This application does not in ANY way modify or make use of Sonatype's code or call into any of the Nexus libraries except via the publicly exposed servlet endpoints of the Nexus server.

License

Apache-2.0 license
2 stars 1 fork Branches Tags Activity
Star
Notifications

InfoSec812/nexus-token-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

src/main

src/main

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Nexus Token Auth Manager

Build Status

Sonatype Nexus is a Java based artifact repository where developers can publish their code artifacts for reuse in other projects. The open source version of that product does this job phenomenally well, with some small exceptions. One of those exceptions is that the open source version does not support token authentication out of the box.

It does however have a nod to those who might like to implement this capability themselves. Built in to the OSS version is a plugin called the RUT Auth Plugin. This is a terse name for "Remote User Token" authentication plugin. What this plugin does is it allows an external service/application/proxy to set a header on requests to the Nexus server and this header specifies the username to be authenticated as. No other information is required. This means that if you enable this plugin and don't put some sort of filter in front of your Nexus server, anyone can get it just by setting a header on their requests.

What this application does is use the stand-alone Nexus OSS distribution. That archive includes an installation of Jetty which loads and runs Nexus. This application will ALSO load itself into that same Jetty container and run at a different endpoint (/nexusmanager). In addition, it will load a filter library into the Jetty configuration which will prevent externally set REMOTE_USER headers from being accepted. That filter will also check for a attached AUTH_TOKEN header. That AUTH_TOKEN header will be verified against this application's built-in database to either allow or deny access to the Nexus server by setting or unsetting the appropriate REMOTE_USER header to be passed on to the underlying servlets.

Configuration

By default, the application uses a file-based instance of HSQLDB to store token information. Changing the web.xml and including the appropriate JDBC driver will allow you to override that behavior.

To configure where the application looks for a Nexus server to authenticate against, you would also modify some of the initParam values in the applications's web.xml file.

The web.xml file can be found at /src/main/webapp/WEB-INF/web.xml

About

This is an application which when run in conjunction with Sonatype's Nexus artifact server can add token based authentication capabilities. This application does not in ANY way modify or make use of Sonatype's code or call into any of the Nexus libraries except via the publicly exposed servlet endpoints of the Nexus server.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages