Sonatype just released Nexus 1.0-beta-5 where the most significant change was the addition of the RBAC and authentication system based on JSecurity. It’s pretty amazing how fast the Nexus team integrated JSecurity. In 4 days we got the first integration done that was working. Yes, 4 days. At the end of our iteration, a week after we started, it was pretty much fully working. After two weeks we were completely done integration and testing JSecurity.

JSecurity is currently in the Apache Incubator but that should in no way deter you from using it. The architecture allowed us to override everywhere we found it necessary, and the JSecurity team turned around fixes on almost a daily basis which is also pretty amazing. We will definitely be integrating JSecurity in the rest of the Sonatype products. I highly recommend JSecurity for your application if you require a complete security solution. Thanks to Les Hazlewood of JSecurity for giving us advice, though it’s so good we probably didn’t need your advice

Nexus

The time has finally come to twit. Not that anyone would be particularly interested in my brain farts but here you go.

http://twitter.com/jvanzyl

Community

We are pleased to announce the Beta-5 release of our Nexus Maven Repository Manager. This release brings the much awaited role based security to the popular tool.

The theory behind the security implementation is simple:

A user has one or more roles.

<

p class=”MsoPlainText”>A role has one or more privilege and/or one or more roles.

<

p class=”MsoPlainText”>A privilege is related to a single REST operation and method like create, update, delete, read. (http post,put,delete,read respectively)

<

p class=”MsoPlainText”>In addition to this, we have introduced a new concept called Repository Targets. A target is a set of regular expressions to match on a path (exactly how the route rules work now). This allows you to define for example a target called Apache Maven which is “org/apache/maven/.*” You can then add a new privilege that relates to the target and controls the CRUD operations for artifacts matching that path (the privilege can span multiple repos if you want). You could thus delegate all control of org.apache.maven targets to a “Maven” team. In this way, you don’t need to create separate repos for each logical division of your artifacts.

<

p class=”MsoPlainText”>The system ships by default with permissions created for

.* in all repos.

<

p class=”MsoPlainText”>With the Repository Targets, you have fine grained control over every action in the system. For example you could make a target that includes everything except sources (.(?!-sources).) and assign that to one group while giving yet another group access to everything. This means you can host your public and private artifacts in a single repository without giving up control of your private artifacts.

The security implementation is built on top of the Jsecurity framework, which means alternate realms can be swapped in to allow integration with ldap and other Enterprise security implementations. The Jsecurity team was extremely helpful and responsive to any issues during the integration, which was possible in a surprisingly short period of time (~1week). I highly recommend this framework for anyone needing quick role based security. (FWIW, Jsecurity is entering the Apache Incubator)

In addition to the security implementation, we reworked the ability to host Nexus behind Apache Httpd via Mod_Proxy. We still recommend using Nexus directly to leverage the native performance of Jetty, but realize that httpd is a fact of life in many organizations and strive to make it as painless as possible. You can read details about how to set that up here.

Beta-5 is our last planned stop along the march to 1.0. The 1.0 release will be comprised of various bug fixes and minor tweaks, including easing the upgrade process.

Take a look at the documentation and then grab your copy of Nexus today.

Maven, News, Nexus