1

I need to retrieve dependencies from a secured internal Nexus OSS repository.

I don't need to make any deploy at the moment, only get the dependencies, but I'm having no luck.

This is my build.sbt file:

credentials += Credentials("Sonatype Nexus Repository Manager", "repo.server.com", "admin", "admin123") 

libraryDependencies += "group" % "artifact" % "1.0.0"

The realm is the one returned by Nexus.

This my ~/.sbt/repositories file:

[repositories]
  local
  releases: https://repo.server.com:8110/nexus/content/repositories/releases/
  ivy-releases: https://repo.server.com:8110/nexus/content/groups/ivy-releases/, [organization]/[module]/(scala_[scalaVersion]/)(sbt_[sbtVersion]/)[revision]/[type]s/[artifact](-[classifier]).[ext]
  custom-public: https://repo.server.com:8110/nexus/content/groups/custom-public

I have three repos:

  1. custom-public is open for the anonymous user. I does not include the releases repo.
  2. ivy-releases its a group with Typesafe ivy releases and SBT plugin releases. It is public too, and its separated from custom-public following the advice in this guide.
  3. releases is restricted to some users.

This is my SBT_OPTS environment variable:

set SBT_OPTS=-Dsbt.override.build.repos=true -Xmx1024M -Xss20m -XX:MaxPermSize=256m -XX:ReservedCodeCacheSize=128m -Dsbt.log.format=true -Djavax.net.ssl.trustStore=~/trust.jks -Djavax.net.ssl.trustStorePassword=passs

SBT finds the public repos without problem. But I could not make it download any dependency from the restricted repo. It gives the following error:

[warn]  module not found: group#artifact;1.0.0
[warn] ==== local: tried
[warn]   C:\Documents and Settings\gferrari\.ivy2\local\group\artifact\1.0.0\ivys\ivy.xml
[warn] ==== releases: tried
[warn]   https://repo.server.com:8110/nexus/content/repositories/releases/group/artifact/1.0.0/artifact-1.0.0.pom
[warn] ==== ivy-releases: tried
[warn]   https://repo.server.com:8110/nexus/content/groups/ivy-releases/group/artifact/1.0.0/ivys/ivy.xml
[warn] ==== custom-public: tried
[warn]   https://repo.server.com:8110/nexus/content/groups/custom-public/group/artifact/1.0.0/artifact-1.0.0.pom

If I try the releases url https://repo.server.com:8110/nexus/content/repositories/releases/group/artifact/1.0.0/artifact-1.0.0.pom in the browser, with the admin user logged in, it shows the pom file correctly.

What options do I have to troubleshoot this problem?

gerferra
  • 1,519
  • 1
  • 14
  • 26

1 Answers1

0

It turned out to be an issue with the jsessionid request parameter in the production webserver (Oracle iPlanet).

These are the steps I've made to troubleshoot the problem:

  1. I mirrored the server configuration in a local Nexus installation running on Tomcat, which worked OK.
  2. Then I run the same command (compile) over both installations and compared the Nexus logs (with level DEBUG).
  3. At some point on Tomcat, Nexus reported that no session was found and proceeded to search for user credentials in the http headers. At the same point on iPlanet, Nexus found a valid Session of the anonymous user, and never looked at the http headers.
    • This was the reason the user was forbidden to access the artifact. It was mistaken as the anonymous user.
  4. Following this SO answer I've added a filter in the Nexus web.xml to remove any jsessionid parameter using the Tuckey rewrite filter.

After that change, the server stopped to create spurious sessions, and started to correctly locate the user credentials in the http headers.

There should be some iPlanet configuration parameter to change the behaviour regarding the jsessionid parameter. The above steps are just my current solution.

Community
  • 1
  • 1
gerferra
  • 1,519
  • 1
  • 14
  • 26