Tag Archives: security

Nexus 1.5.0 Highlights: Open Sourcing Nexus LDAP Integration


January 27, 2010 By Brian Demers

With the 1.5.0 release of Nexus, Sonatype is opening up the current LDAP features in Pro, and making them a part of Nexus Open Source.  Starting with this release, Nexus Open Source users will be able to integrate with LDAP, Active Directory, and Atlassian Crowd servers (via LDAP).  Nexus is the only repository manager with both Authentication AND Authorization (group / role mapping) via LDAP and now this integration is free for all to use.

As we transition this feature to Nexus Open Source, we are also announcing a new Nexus Enterprise LDAP plugin that will support more advanced deployment use cases including support for federated LDAP servers and more intelligent caching of authentication information. Continue reading

Meet the Nexus Remote Repository Browsing Plugin


January 26, 2010 By Anders Hammar

Having used Nexus since it was a beta release and having also written a Plexus component-style Nexus plugin (the nexus-ldap realm), I was curious about the new Nexus Plugin API introduced in Nexus 1.4.0. To try it out, I asked two of our developers here at Devoteam Sweden to develop the Nexus Remote Repository Browsing Plugin – a Nexus plugin that makes it possible to directly browse the remote Maven repository of a proxy repository within the Nexus UI. The plugin has been contributed to Nexus OSS and will be released as a part of the upcoming 1.5.0 release.  In this blog post, I will talk a little bit about the plugin and its use case. Continue reading

How to Generate PGP Signatures with Maven


January 21, 2010 By Juven Xu

If you use a tool that downloads artifacts from the Central Maven repository, you need to make sure that you are making an effort to validate that these artifacts have a valid PGP signature that can be verified against a public key server.   If you don’t validate signatures, then you have no guarantee that what you are downloading is the original artifact.  One way to to verify signatures on artifacts is to use a repository manager like Nexus Professional.  In Nexus Professional you can configure the procurement suite to check every downloaded artifact for a valid PGP signature and validate the signature against a public keyserver.

If you are developing software using Maven, you should generate a PGP signature for your releases.  Releasing software with valid signatures means that your customers can verify that a software artifact was generated by the original author and that it hasn’t been modified by anyone in transit.  Most large OSS forges like the Apache Software Foundation require all projects to be released by a release manager whose key has been signed by other members of the organization, and if you want to synchronize your software artifacts to Maven central you are required to provide pgp signatures.

In this post, I show you how to configure your Maven project to generate a valid signature using GPG.  GnuPG ( aka. GPG ) is a freely available implementation of the OpenPGP standard. It’s available for both Windows and Unix-like computers. GPG provides you with the capability to generate a signature, manage keys, and verify signatures. In the following sections, I will introduce GPG as well as maven-gpg-plugin which provides Maven goals to generate signatures for a release. Continue reading

Three Approaches to User Management in Nexus


January 14, 2010 By Brian Fox

When we first set out to design the external security realm (LDAP/ Crowd, etc) support in Nexus Core, we had one primary concern and that was to make it easy to integrate with systems having huge numbers of users.   Nexus was designed as a tool to be used to support the largest open source communities with thousands of developers and hundreds of projects, and like most large enterprises, these communities have settled on solutions like LDAP, Active Directory, and Crowd as a way to manage user credentials and permissions.  A secondary concern was to support any level of integration with these external security realms, specifically:

  • delegating only authentication to an external server
  • delegating both authentication and authorization to an external server
  • delegating everything but authentication promotion permissions to an external server

These interactions were gleaned from years of experience working with customers at all levels. Some have completely centralized control over passwords and roles. Others have a situation where there’s a global repository but the roles don’t match reality, or are too hard to get updated.    We wanted to create a system that would both integrate with centralized authentication servers and allow for a sensible way to override role assignments directly in Nexus. Continue reading

Maven Tips and Tricks: Encrypting Passwords


October 13, 2009 By Tim O'Brien

The first time I configured Maven to authenticate against a protected repository manager, I was somewhat disturbed by presence of unencrypted passwords in my home directory. While many of us have grown accustomed to leaving a few unencrypted passwords here or there in a production system, it just didn’t seem appropriate to leave a password for something like a repository manager sitting in a known file location (~/.m2/settings.xml). Luckily, Maven provides a very easy method for encrypting passwords. In this post, I’ll walk you through the process.

Continue reading