[NEXUS-8318] BASIC-auth challenge fixes

[jdillon]

https://issues.sonatype.org/browse/NEXUS-8318

[jdillon]

http://bamboo.s/browse/NX3-OSSF123-1 ✅

[kellyrob99]

+1 tested and working for the reported maven deploy issue

[cstamas]

+1

[adreghiciu]

spelling

[jdillon]

do you mean "the the", thats technically not a spelling problem :-P

[adreghiciu]

+1

[cstamas]

Locally tested this, and it does not work for me. Seems the Shiro exception is not let past this point

All I have is a nice stack trace like this one:

2015-03-24 18:34:52,546+0100 WARN  [qtp1462165892-51] *UNKNOWN org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service failure
org.apache.shiro.authz.AuthorizationException: User is not permitted: [nexus]:[repository-view]:[maven2]:[maven2-group1]:[read]
    at org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.checkPermission(ExceptionCatchingModularRealmAuthorizer.java:75) [na:na]
    at org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.checkPermissions(ExceptionCatchingModularRealmAuthorizer.java:93) [na:na]
    at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermissions(AuthorizingSecurityManager.java:149) [na:na]
    at org.apache.shiro.subject.support.DelegatingSubject.checkPermissions(DelegatingSubject.java:220) [org.apache.shiro.core:1.2.3]
    at org.sonatype.nexus.security.SecurityHelper.ensurePermitted(SecurityHelper.java:71) [na:na]
    at org.sonatype.nexus.security.SecurityHelper.ensurePermitted(SecurityHelper.java:78) [na:na]
    at org.sonatype.nexus.repository.security.SecurityFacetSupport.ensurePermitted(SecurityFacetSupport.java:63) [na:na]
    at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:44) [na:na]
    at org.sonatype.nexus.repository.view.Context.proceed(Context.java:89) [na:na]
    at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:46) [na:na]
    at org.sonatype.nexus.repository.view.Context.proceed(Context.java:89) [na:na]
    at org.sonatype.nexus.repository.view.Context.start(Context.java:112) [na:na]
    at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:58) [na:na]
    at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:55) [na:na]
    at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.dispatchAndSend(ViewServlet.java:165) [na:na]
    at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.doService(ViewServlet.java:152) [na:na]
    at org.sonatype.nexus.repository.httpbridge.internal.ViewServlet.service(ViewServlet.java:112) [na:na]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [javax.servlet-api:3.1.0]
...

[cstamas]

Was wrong: the challenge is sent, but the WARN log did confuse me.

[jdillon]

@cstamas I didn't spend time to reduce logging for expected exceptions, we have to generally clean all that up before 3.0 is final, but for now I left it as simple as possible

[jdillon]

@cstamas shiro filters operate around the servlet. And there is specific handling in Shiro (and in my changes) to cope with plain Shiro exception as well as wrapped in ServletException, though ServletException wrapping is actually done by one of the Shiro filters, the propagate if possible will propagate the AuthorizationException as-is since its a RuntimeException derivative.

[jdillon]

replaced by #1135 due to merge/push mess up