How do I enable WWW-Authenticate headers for content 401 responses

Summary

As of Nexus 2.7.1, the 2.x series of Nexus includes a way to configure the HTTP session timeout value (NEXUS-6189). A consequence of this change was that Nexus will not respond with a WWW-Authenticate header in cases when 401 status is returned to what looks like a standard web browser User-Agent. In rare cases, this may be breaking custom tooling that relied on the old behaviour.

Workarounds

When To Apply The Workarounds

Do not apply these workarounds unless you fully accept the consequences outlined below. The workarounds exist only for extreme cases where there is no other immediate solution.

Sonatype Does Not Recommend Applying These Workarounds

The side effect of disabling browser detection using the property in this article may include:

  • creating more than one session in a web browser for the same user
  • multiple login prompts for the same web browser user
  • inability to share the same http session for content and UI requests to Nexus
  • inability to logout and end all browser initiated sessions in a real web browser. This could be a security risk in some environments

Basically you likely will introduce session vulnerabilities in the Nexus UI and create confusion amongst your Nexus UI users.

Sonatype Recommends Alternatives

The following alternatives are recommended by Sonatype Support, instead of enabling the property in this article:

  • update any custom tool relying on the old behaviour
  • use pre-emptive auth for REST calls to a secure Nexus https url
  • use a non web browser formatted User-Agent header value
  • use a reverse proxy or Jetty RewriteHandler and HeaderPatternRule to to detect specific whitelisted web clients, and manipulate the User-Agent header before passing through the request to Nexus, if the request does not already contain Authenticate headers. Sonatype Support acknowledges this is technically possible, but we do not offer official support for it.

Workaround Option #1: Add User-Agent Exclusions to Browser Detection ( Nexus 2.10+ )

In cases where specific User-Agent values are well known and unchanging, a Nexus administrator can exclude user agent values from the Nexus browser detection for 401 responses.

How To Force Nexus to Respond With WWW-Authenticate headers For Specific User Agents

A property can be set that can completely disable browser detection when determining if to respond with WWW-Authenticate headers for 401 responses.

A nexus administrator can specify one or more specific user agent strings in $NEXUS_HOME/conf/nexus.properties (using the property nexus.browserdetector.excludedUserAgents, which is \n delimited). These user agents will be skipped and therefore presumed to be non-browser user agents for the purpose of browser detection.

Here's an example to specify multiple UAs in nexus.properties: (the trailing \ is not required, but allows you to specify one per line in the file, for readability):

# Disable NOT sending WWW-Authenticate headers with 401 responses for specific user agents
# See NEXUS-6786
nexus.browserdetector.excludedUserAgents=UserAgentString1\n\ UserAgentString2

To test this with your browser, note your browser's User-Agent string and set it as the value of this property. Then restart Nexus to pick up the changes.

Make sure your browser is logged out, and issue an HTTP GET for http://localhost:8081/nexus/service/local. You should get a 401 response with a WWW-Authenticate header, causing the browser to launch a basic auth dialog.

Workaround Option #2: Disable All User Agent Browser Detection ( Nexus 2.7.1+ )

A property can be set that can completely disable browser detection when determining if to respond with WWW-Authenticate headers for 401 responses.

How To Force Nexus to Respond With WWW-Authenticate headers For All 401 Responses

This property applies when requesting artifacts from Nexus using User-Agent headers which look like they are from standard web browsers.

To disable the browser detection in Nexus 2.7.1 and greater:

Edit ${NEXUS_HOME}/conf/nexus.properties. Add:

# Disable NOT sending WWW-Authenticate headers with 401 responses for web browser user agents
# See NEXUS-6189
nexus.browserdetector.disable=true

Then restart Nexus to pick up the changes.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk