I am operating Nexus Repository Manager. Currently the repositories are configured to be secure. But if someone access the UI without logging in, they can click on “Server configuration and Management” and then click on “System Information” under Support. That is an issue since it displays environment variables and some of them carry credentials.
How can I stop anonymous user from navigating to those pages ?
They should not be exposed by default. Check your anonymous access configuration to see which user is used for anonymous users.
So i just checked. The anonymous user is granted the nx-anonymous role.
The nx-anonymous role is granted the following privileges :
Checking locally even navigating directly to the System Information URL.
I’d suggest you might have a session from another tab or some sort of caching or reverse caching proxy issue.
Has the security realm of the anonymous user been changed under “security → anonymous”? It should be the “local authorizing realm”. Also make sure the anonymous user name is set to “anonymous”.