Category Archives: Nexus

Securing Repository Credentials with Nexus Pro User Tokens


August 8, 2012 By Tim O'Brien

Until yesterday I had a Maven Settings file in ~/.m2/settings.xml that contained following XML:

<server>
  <id>central</id>
  <username>tobrien</username>
  <password>ch1c@g0r00lz</password>
</server>

Silly, right? The only way to authenticate against Nexus was to drop my plaintext username and password in my Settings file, for anyone who gained access to my laptop to see. I’ve never been too happy with this approach, and even built-in support for encryption in Maven didn’t seem like much of an improvement over a plaintext password. The Maven-specific approach to password encryption still has to decrypt the password on the client, and if someone is using password encryption in Maven Settings file all you need to do to intercept the password is fire up Wireshark and read what Maven sends over the wire. (Maven’s built-in password encryption isn’t security at all, it’s security theater.)

Nexus Professional 2.1 takes a different approach, an approach that keeps the password encrypted in transit and which shifts the responsibility to the repository manager.

With Nexus Professional 2.1 we’ve taken one step further toward a more secure approach to distributing credentials – User Tokens. You can think of a User Token as you would an SSH key or sorts. When you configure your Maven Settings, you’ll need to supply some credentials (preferably not your plaintext username and password). With Nexus Professional, all you need to do is:

  1. Login into Nexus with your user credentials.
  2. Open up your profile.
  3. Select User Token from the profile settings dropdown.
  4. Press Access User Token

At this point, Nexus Professional will ask you for your username and password again just to make certain that you are who you say you are, and it will present you with a User Token that looks like this:

<server>
  <id>${server}</id>
  <username>jBVaDogW</username>
  <password>o3TsgGP+EkF1eEayn/+M2Vk9kwS8ieajAjXwoCLb2HCw</password>
</server>

But, wait, how is this more secure? First, an attacker could still grab your user token and deploy to Nexus, but the damage would be limited to deployment and download. User Tokens are more secure because they are limited, you won’t use a User Token to login to the UI and make changes to Nexus, and, if your User Tokens happed to be compromised, you can reset them. Lastly, your plaintext password is never transferred over the wire.

What this change is doing is moving Nexus toward an authentication system on par with the security of a system that relies on public SSH keys (a system such as Github). This is just the first step toward making Nexus authentication more secure, and it’s a big step. If you find this feature useful, please let us know, and we hopeyou enjoy Nexus Professional 2.1. Download it today.

Nexus 2.1 Now Available, Go Get It


August 7, 2012 By Tim O'Brien

This is a big release. We’re announcing the immediate availability of Nexus 2.1, the first minor version update since the Nexus 2.0 release earlier this year. This simultaneous release of both Nexus Open Source and Nexus Professional caps off months of effort to implement two major features in Nexus Professional:

  • User Tokens – Developers who need to authenticate against a Nexus server can now make use of user tokens. This is a pair of authentication keys which can be used in your settings in lieu of storing a plaintext password. Storing a plaintext password in a build has always been a bad idea, and this new version of Nexus lets you access Nexus securely.
  • Advanced Staging Capabilities – Our Engineering team upgraded one of the most popular features of Nexus, the Staging capability. With this newly improved staging subsystem your staged releases now benefit from a range of advanced features, such as atomic deployments and closer integration with Nexus REST services. This feature is an implement in Nexus Professional as a Maven Staging plugin.

Evaluating Nexus Professional just got a whole lot easier

If you are evaluating Nexus Pro, you’ll benefit from an easy to use installer, which was designed to automate the installation, configuration and set of Nexus on Windows, OSX and Linux. With this new installer, users are able to customize where Nexus will be installed and what port Nexus will be configured to listen on. This installer will even automate the setup and configuration of a set of simple evaluation projects. It has never been easier to get started with your Nexus Professional evaluation. Download a Nexus Professional trial and get started.

Nexus OSS 2.1 – Security and Bug Fixes You Need

Nexus OSS 2.1 has approximately 102 bug fixes – everything from an upgrade to Jetty 8 to security fixes. Nexus OSS 2.1 is faster, more secure, and more stable thanks in large part to our Insight product. Engineering ran the Insight report against our own software and identified some critical security bugs. If you are using a previous version of Nexus 2.0 (or if you are using an earlier version of Nexus 1.x) there is no good reason not to upgrade immediately.

Go download Nexus OSS 2.1 and start your upgrade.

Join Us: Sonatype Meetup in NYC – Wednesday, July 25, 2012


July 12, 2012 By Emily Blades

Sonatype Meetup in NYC

We’re planning a Sonatype Meetup in New York City on Wednesday, July 25 at 6PM. Jason will be giving an informal talk on the next phase of Apache Maven-based development and how Sonatype is tackling all the hard problems in component lifecycle management. After that, he’ll be giving a sneak peek of our product roadmap for both Nexus and Insight. He’ll be hanging out afterwards to talk shop over drinks and appetizers.

We’ve booked a great space at The Eventi Hotel (851 Avenue of the Americas), but space is limited. If you are in the New York area and interested in attending, please register by completing this form and we will save you a space and send you more details. Hope you can make it!

Reserve Your Seat

Learning the Nexus REST API: Read the Docs or Fire Up a Browser


July 11, 2012 By Tim O'Brien

When you use Nexus, it is more than a UI. It is a collection of services available for you to automate. With these services you can integrate Nexus in whatever workflow makes sense for you. As a developer, this is what I look for in a product: something beyond the UI, something I can automate, and, most importantly, something that is documented. In Nexus, we’ve made it easy to start integrating Nexus REST services into your workflow by providing extensive documentation.

Yesterday’s post was all about automating Nexus with REST services, and today’s post is focused on giving you the tools you need to access the hundreds of REST endpoints you have access to with Nexus. If you are trying to automate anything in Nexus, you should know that there are two ways to “read” the Nexus REST API. You can access plugin documentation via the Nexus UI, or you can use a tool like Firebug in Firefox or Chrome’s Developer Tools and inspect the requests generated by the Nexus UI.

Continue reading

Nexus Pro: Automating Staging Workflow with Gradle using the Nexus REST APIs


July 10, 2012 By Tim O'Brien

I recently had a request from a customer for some guidance on how to automate Staging in Nexus Professional from Gradle. Here was his core problem: he had a series of builds that needed to deploy to a staging URL and he was wondering if it was possible to automate the closing of a repository from Gradle. It is. While we’ve made it easy to do this in Maven with the Nexus Maven Plugin we didn’t have the equivalent example in Groovy. This post gives some guidance to anyone who needs to call out to our REST services from Groovy.

As Nexus Professional exposes every feature as a REST endpoint it is very easy to automate these interactions in just about any language. This sample demonstrates who to incorporate calls to Nexus REST APIs directly from your build. It also provides a model for parsing JSON responses from Nexus and posting JSON requests. If you are interested in more of these examples, please let us know in the comments of this post. (One thing is sure, this particular example could use some improvement, please be harsh.)

Continue reading