403 when trying to post java pacakges via REST-API


#1

Hello! I’ve update Nexus to version 3.17.0 and also have a powershell-script that communicates via nexus-api and upload java packages to repository. In nearest time we are planing to migrate our java-packages to Nexus.
This script was worked fine until latest update and now when I try to use it I’ve got this error:
Response: [403] (no entity/body); mapped from: org.apache.shiro.authz.UnauthorizedException: Anti cross-site request forgery token mismatch

Password is correct (triple check that)
Using 6.0 version of PowerShell
Error message from server log: 2019-06-28 09:12:57,694+0000 WARN [qtp805360496-2091] ado org.sonatype.nexus.siesta.internal.AuthorizationExceptionMapper - (ID 25c2f7c3-d764-41a2-a5b3-042e833e6727) Response: [403] (no entity/body); mapped from: org.apache.shiro.authz.UnauthorizedException: Anti cross-site request forgery token mismatch
Script:

$Pom = (Get-Item -Path "Path\To\Java\Packages*" -Filter *.pom)
Foreach ($File in $Pom) {
    if ((Test-Path ($File.DirectoryName + "\" + $File.BaseName + ".jar")) -and (Test-Path($File.DirectoryName + "\" + $File.BaseName + ".pom")) -and (Test-Path($File.DirectoryName + "\" + $File.BaseName + "-sources" + ".jar" ))) {
        Write-Verbose "Posting pom + jar + sources"  -Verbose
        $FormJarPomSources = @{
            'maven2.generate-pom'      = 'false'
            'maven2.asset1'            = Get-Item ($File.DirectoryName + "\" + $file.BaseName + ".pom")
            'maven2.asset1.extension'  = 'pom'
            'maven2.asset2'            = Get-Item ($File.DirectoryName + "\" + $file.BaseName + ".jar")
            'maven2.asset2.extension'  = 'jar'
            'maven2.asset3'            = Get-Item ($File.DirectoryName + "\" + $file.BaseName + "-sources" + ".jar") 
            'maven2.asset3.extension'  = 'jar'
            'maven2.asset3.classifier' = 'sources'
        }#FormJarPromSources
        Invoke-WebRequest -Uri $Uri -Method Post -Form $FormJarPomSources -Credential $Credential -Authentication Basic 
    }#if
        
    
        
    elseif ((Test-Path ($File.DirectoryName + "\" + $File.BaseName + ".jar")) -and (Test-Path($File.DirectoryName + "\" + $File.BaseName + ".pom"))) {
        Write-Verbose "Posting pom + jar" -Verbose
        $FormPomJar = @{
            'maven2.generate-pom'     = 'false'
            'maven2.asset1'           = Get-Item ($File.DirectoryName + "\" + $file.BaseName + ".pom")
            'maven2.asset1.extension' = 'pom'
            'maven2.asset2'           = Get-Item ($File.DirectoryName + "\" + $file.BaseName + ".jar")
            'maven2.asset2.extension' = 'jar'
        }#FormPomJar
        Invoke-WebRequest -Uri $Uri -Method Post -Form $FormPomJar -Credential $Credential -Authentication Basic 
    }#Elseif
         
    else {
        Write-Verbose "Posting pom" -Verbose
        $FormPom = @{
            'maven2.generate-pom'     = 'false'
            'maven2.asset1'           = Get-Item ($File.DirectoryName + "\" + $file.BaseName + ".pom")
            'maven2.asset1.extension' = 'pom'
        }#FormPom
        Invoke-WebRequest -Uri $Uri -Method Post -Form $FormPom -Credential $Credential -Authentication Basic
    }#else

}#Foreach

#2

option from this ticket do the deal:
nexus.security.anticsrftoken.enabled=false
Still may be there more right solution for that?


#3

Could you doublecheck that the server you’re accessing is 3.17 not 3.16.2 or earlier? We included a fix for this issue with PowerShell so I’m surprised to hear that you’re still experiencing the problem.


#4

Hello mpiggott!
Yes, I’m sure about 3.17.0-01 version. Screenshots in the attach.
But in the ticket you provide another cmdlet was used - Invoke-WebRequest. (Invoke-WebRequest)
I’m using Invoke-RestMethod instead. (Invoke-RestMethod)

For more info:
Host: CentOS 7.6
Nexus 3.17.0 in docker image.


#5

What does the request.log show for this failed operation?


#6
 - ado [28/Jun/2019:09:05:55 +0000] "POST /service/rest/v1/components?repository=maven-releases HTTP/1.0" 403 1474 0 9 "Mozilla/5.0 (Window
s NT 10.0; Microsoft Windows 10.0.17763; en-US) PowerShell/6.2.0" [qtp805360496-2072]
- ado [28/Jun/2019:09:05:55 +0000] "POST /service/rest/v1/components?repository=maven-releases HTTP/1.0" 403 1474 0 6 "Mozilla/5.0 (Window
s NT 10.0; Microsoft Windows 10.0.17763; en-US) PowerShell/6.2.0" [qtp805360496-2071]
- ado [28/Jun/2019:09:05:56 +0000] "POST /service/rest/v1/components?repository=maven-releases HTTP/1.0" 403 1474 0 4 "Mozilla/5.0 (Window
s NT 10.0; Microsoft Windows 10.0.17763; en-US) PowerShell/6.2.0" [qtp805360496-2074]

#7

Thanks, I think the “PowerShell/6.2.0” explains it, we’re currently white listing “WindowsPowerShell”

Try adding this line into $datadir/etc/nexus.properties:

nexus.security.anticsrftoken.whitelist=PowerShell


#8

Thanks a lot Rich, now is everything OK.

As a suggestion: may be provide in code just “PowerShell”? It will be sufficient for WindowsPowerShell and for newer version of PowerShell. (after version 6 it’s become just “PowerShell”)


#9

Agreed, that was one of the suggestions I made in the issue I opened for this:

Glad to hear this is working for you now.

Regards,

Rich


#10

Hi,
Could you recheck if the user you are trying to upload from has the correct permissions?
nx-component-upload was one of the permission/privilege missing for my user.
Thought it might help

Regards
Karan Kaushik


#11

Hi,
Yes, I’m sure. User ado have nx-admin priviliege.
Still if user have permission problems the solution that Rich provided wouldn’t work, I suppose :slight_smile: