Custom plugins still possible starting with 3.78?

Dear Sonatype,

a year ago I published an authentication plugin on github which was gratefully picked up by a few companies (I can only tell from what people tell me in issues and mails). With the release of 3.78 you mentioned your switch from karaf to spring in your release notes and said that this would affect custom plugins, for obvious reasons.

I’d like to give some feedback on plugin development before this change and how it looks now. Before 3.78, you used a maven profile provided by sonatype’s parent pom which would bundle everything as kar and then you would drop it in the deploy/ directory where nexus would find and load it. In the plugin code you would use the javax.inject annotations to make nexus find your components and add them to its lifecycle.

The documentation on how to do all of this (especially on interacting with nexus’ own architecture components) was rather poor, but you could get there with some fantasy and by reading in the nexus-public git repo.

Unfortunately, a lot of this sparse documentation is obsolete and there is nothing to replace it, plus, the code in the nexus-public repo hasn’t been updated for more than 1 month, so there is no chance to learn how to make it work starting with 3.78.

I tried some things to make nexus pick up my plugin again, like adding a configuration class with the org.springframework.boot.autoconfigure.AutoConfiguration annotation, adding my packaged jar to the nexus classpath and even manually repackaged it into your new “uber jar” (which would be really complicated for simple users of custom plugins). According to the (debug) logs nexus doesn’t find it in any of these places. Your LicensedApplicationJarFilter seems to be working with a hardcoded allowlist defining what to load.

Maybe I missed something, but to be honest it really shouldn’t be that hard to get a custom plugin deployed. I would have expected you just keep looking at the deploy/ directory and load whatever jar I put there. I would appreciate some help with making this work, because I need that plugin for internal use in our company and my community of users is also hoping to be able to update again soon.

On a side note: Back in April 2024 when I was about to publish my plugin, I was contacting nexus-feedback@sonatype.com, asking about correct licensing etc., trying to make sure I am not violating any rights of yours. Unfortunately, I never received an answer. I am really happy that there is/was the option to develop plugins, as that was the only reason we could stay with nexus as artifact store, because even in the pro version only SAML is supported as SSO authentication. It would be great, in case you continue to allow custom plugins, if you could work out some responsive place to go for the developer community to get started, as such threads don’t seem to receive answers and the responsiveness in nexus-public is really low as well.

As someone loving the open source approach, I think Sonatype can benefit a lot from a healthy plugin ecosystem but it requires a minimum of support to get going and especially during transition phases like the last year (orientdb → h2, osgi → spring) as nexus is a quite complex piece of software and it takes a lot of energy to understand anything in the beginning.

**+ 1**.

I also had to implement our authorization plugin as the available native plugins are very insufficient for our needs. And I have to tell, that compared to the old 2.x versions of Nexus the quality of the adoption of Shiro framework decreased significantly. For example the UI offers adding external realms, forces one to fill the necessary information about the external service, but throws away the fact it is an external account information and creates internal role.

Fortunately I noticed the breaking changes before we went ahead with the update so we are stuck with our Nexus version on 3.77 until more information about deployment is revealed.

Since Sonatype didn’t consider it necessary to answer here, I at least can reveal to you guys watching this:

As of now, there isn’t a straightforward way to load custom plugins in the new architecture.

Source: Sonatype Support

I’d say there’s no such thing as a plugin system anymore and I wouldn’t bet on it to return.

Whaaaaaat? If this is true, then it is probably time to look for other solutions.

Considering 3.77 was the last version, that supported plugins, it would have likely been better if we stayed on NXRM2. The quality of the code in the old version was much better than in the new one. And the old UI was also superior to the one in NX3. I really dislike it always forgets where I was and I have to switch between administration and repository content all the time.

Hi there!

We understand how important customizations are, and the good news is that we’re working on bringing support for them back in future versions of NXRM.

In the meantime, if you’d like more details about the recent changes to OSGi bundle support, you can check out the release notes here:

3.78.0 Release Notes – Breaking Change for Custom Plugins

We also have an updated feature status page with more info on sunsetting of NXRM features:
OSGi Bundle Capability – Feature Status

Thank you, this is a relief.

It is understandable, that updating the documentation takes some time, so no problem with that, but it appeared to go in really bad direction.

@mgarzon : was there any progression in documenting, how to add plugins into Nexus 3 after this breaking change?

I am stuck on the pre-3.78 version. Nexus migration process is failing miserably after a day or two of moving artifacts between the old and new version and with no hope of getting a fixed version of the migration plugin.

Hello,

I’m encountering an issue while attempting to upgrade my customized Sonatype Nexus plugin to release 3.79. The new deployment approach is unclear, and I’m currently blocked on how to properly package and deploy the plugin under the updated system.

To provide some context: I cloned the plugin repository nexus-public/plugins/nexus-example-content at release-3.79.0-09 · sonatype/nexus-public · GitHub (to test what is provied by Sonatype instead of testing directly on my plugin), built it successfully, and attempted to deploy it by copying the generated JAR file into <NEXUS_HOME>/deploy. After restarting the Nexus instance, there were no logs indicating success or failure—even with DEBUG logging enabled. There were no errors or messages suggesting that the plugin was detected or rejected.

Could you please advise if there is a correct procedure for migrating and deploying custom plugins in Nexus 3.79 or 78?
If it is not possible anymore to use a customized plugin in the current release >=78, is there an ETA about supporting back them in the future versions? @mgarzon

Hi @hkhalil In the upcoming versions we will not have support for custom plugins will continue to consider it for future releases.

If you compare the Nexus shell scripts, they no longer process the classpaths, so your files are being ignored. I tried adding classpaths manually, but so far no luck on making them work. If I find a way how to do it, I will let you know. But I am wasting time on this critical feature, that was removed out of blue with no added value for the users.

Right now we can work on the old version, but there may be some vulnerability in Nexus in future, and then it will becomes a big problem.

So a shift from “we’re working on bringing support for them back in future versions of NXRM” to “consider it for future releases”.

I see where this is heading to (community forking Nexus)… Well played.

…or not…

from CE EULA:

…shall not, or permit any third party to (i) access the Product except as permitted herein and in the Documentation, (ii) modify, translate, reverse engineer, decompile, disassemble, create derivative works of or copy the Product or otherwise seek to obtain or use the source code, underlying ideas, algorithms or non-public APIs of the Product…

I guess we should start looking for alternatives

Do you Sonatypers consider any LTS / extended security issue support for the 3.77 series of nexus? Or is it gonna be EOL’d as a “normal” version?
Thanks for the info.

This is very good question. The Springboot uprade sould have been NXRM4 with such a blow to power users.