Skip to main content

How to disable authentication dialogs for sensitive operations performed by RUT authenticated users

Peter
Updated

Visit my.sonatype.com for documentation on Nexus Repository version 2.

This article applies to Nexus Repository 2 only. Nexus Repository 3 has a different solution.

Problem

By default, Nexus Repository 2 re-prompts a RUT-authenticated user for their credentials before allowing certain sensitive operations to proceed. Sensitive operations include:

  • viewing a user token from their profile
  • downloading a generated support zip

Re-prompting is an additional security measure to protect against malicious access to an already established authentication session.

In the case where Nexus Repository 2 is configured using RUT Authentication, advanced security measures are implicitly already in place at the network level by a systems administrator. Authentication is taking place outside of Nexus Repository 2, so re-prompting for authentication inside the user interface may not be a valid use case. End users may not even be provided with credentials in the first place, so have no way to provide them if asked.

In this scenario, a Nexus Repository administrator wants a way to disable re-prompting for credentials.

Solution

Prerequisites

In order for authentication re-prompts to be disabled by a Nexus Repository 2 administrator implementing RUT auth, the RUT user accessing Nexus Repository 2 must:

  • be authenticated using RUT auth realm
  • be authorized using an account in the LDAP server(s) registered inside Nexus Repository ( XML/Default realm user accounts are not applicable )

Disabling authentication re-prompt viewing User Profile User token ( as of version 2.14.0 ):

  1. Edit <install-dir>/conf/nexus.properties. Add a property on a new line:
    nexus.userToken.noPopUps=true
  2. Restart Nexus Repository for the property to take effect.
  3. Ask end users to clear their browser cache and restart their web browser.

Disabling authentication re-prompt when downloading a generated support zip ( as of version 2.14.4 ):

  1. Edit <install-dir>/conf/nexus.properties. Add a property on a new line:
    nexus.download.noPopUps=true
  2. Restart Nexus Repository for the property to take effect.
  3. Ask end users to clear their browser cache and restart their web browser.

Related articles