How to disable authentication dialogs for sensitive operations performed by RUT authenticated users

This article applies to Nexus Repository Manager 2.x only. Nexus Repository Manager 3.x has a different solution.

Problem

By default, Nexus Repository Manager 2.x re-prompts a RUT authenticated user for their credentials before allowing certain sensitive operations to proceed. Sensitive operations include:

  • viewing a user token from their profile
  • downloading a generated support zip

Re-prompting is an additional security measure to protect against malicious access to an already established authentication session.

In the case where Nexus Repository Manager is configured using RUT Authentication, advanced security measures are implicitly already in place at the network level by a systems administrator. Authentication is taking place outside of repository manager, so re-prompting for authentication inside the user interface may not be a valid use case. End users may not even be provided with credentials in the first place, so have no way to provide them if asked.

In this scenario, a Nexus administrator wants a way to disable re-prompting for credentials.

Solution

Prerequisites

In order for authentication re-prompts to be disabled by a Nexus administrator implementing RUT auth, the RUT user accessing Nexus must:

  • be authenticated using RUT auth realm
  • be authorized using an account in the LDAP server(s) registered inside Nexus ( XML/Default realm user accounts are not applicable )

Disabling authentication re-prompt viewing User Profile User token ( as of version 2.14.0 ):

  1. Edit <install-dir>/conf/nexus.properties. Add a property on a new line:
    nexus.userToken.noPopUps=true
    
  2. Restart Repository Manager for the property to take effect.
  3. Ask end users to clear their browser cache and restart their web browser.

Disabling authentication re-prompt when downloading a generated support zip ( as of version 2.14.4 ):

  1. Edit <install-dir>/conf/nexus.properties. Add a property on a new line:
    nexus.downloads.noPopUps=true
    
  2. Restart Repository Manager for the property to take effect.
  3. Ask end users to clear their browser cache and restart their web browser.
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk