Nexus 2.7.0 Released

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Nexus 2.7.0 Released

Rich Seddon

Sonatype is pleased to announce the release of Nexus 2.7.0, a major release including new features, bug fixes, and performance improvements.

Nexus 2.7.0 is available for download here.

See below for the full release notes (these cover both pro and oss versions), and be sure to check the Upgrade and Compatibility Notes before installing this release.


Rich Seddon


Sonatype Nexus 2.7.0

These release notes are a compilation of new features and significant bug fixes for Sonatype Nexus 2.7.0.

See here for a full list of all issues fixed in the 2.7.0 release.

New and Noteworthy

All Shipping Plugins are Installed by Default

Previous versions of Nexus Professional shipped with some plugins which were not installed by default. These were located in "$NEXUS_HOME/nexus/WEB-INF/optional-plugins", and installation required manually copying these over to the main plugin repository and restarting the server.  In Nexus 2.7, all plugins are installed by default.  The following plugins are affected:

* Note: The Unpack Plugin creates a special "content-compressed" REST endpoint which can be used to deploy zip files to a repository.  The URL looks like this: http://localhost:8081/nexus/service/local/repositories/releases/content-compressed. The files in the zip will be unpacked and deployed individually to the repository.

New Atlassian Crowd Plugin

We have completely rewritten the Atlassian Crowd Nexus plugin. It performs better, is more reliable and depends on current Crowd REST APIs under the hood. Upgrades of your previous crowd configuration should be handled seamlessly.

The plugin is already installed by default and configuration can be accessed via Security -> Crowd in the sidebar. Refer to the Sonatype Nexus Book Crowd Chapter for more information.

The plugin has been primarily tested with Crowd 2.5.5 and 2.6.5 at shipping time. Although the Crowd REST API used should work with Crowd versions as old as 2.1, users are encouraged to use this plugin with at least the tested versions of Crowd or newer. In particular, Atlassian Crowd releases earlier than 2.5.5 are known to have severe security vulnerabilities.

If you use a https URL to access your crowd server, you can now configure an SSL: Crowd Capability to explicitly manage the trust of the SSL certificate

New Support Tools

The old automatic problem reporting feature under "help/report problem" has been replaced with a new set of support tools.

Nexus now has a System Information report to show detailed information about the configuration and runtime environment of the Nexus instance.

A new option to generate a Support ZIP which can be sent to Sonatype support has been added.  This ZIP file is not encrypted so users can inspect the contents before providing it to Sonatype via a secure support site ticket at

New Logging UI

The logging UI has been completely rewritten, and now allows for setting log levels for individual java packages and classes through the UI.  It also has a new "mark" facility which can be used to add markers in the log. These markers help delineate where a problem was reproduced.

Note: The previous System Files feature has been removed and replaced by the new log viewer and Support Zip feature.

Authentication via Remote User HTTP Header

Nexus now supports external pre-authentication of users.  An HTTP header can be configured (such as REMOTE_USER) which contains a user ID which has already been authenticated by the external system. See the book for more information.

Legacy Startup Scripts Removed

The old startup scripts (located under $NEXUS_HOME/bin/jsw/$ARCH in the installation directory) have finally been removed.  These have been deprecated since Nexus 2.0. Users should use the new startup scripts introduced in Nexus 2.0, located in $NEXUS_HOME/bin (NEXUS-5781). The 'clickable' Windows batch files (*-nexus.bat) have remained, but the only use case for these are to be 'clicked' to perform a specific named action.

Work Directory is now Locked to Prevent Concurrent Access

The work directory is now locked to prevent simultaneous access by multiple Nexus instances. A sonatype-work/nexus/nexus.lock file is created containing the process id when Nexus is started, and deleted when Nexus is stopped (NEXUS-5306).

No Longer Possible to Disable Security

Previous versions of Nexus had a setting which completely disabled security.  This added unnecessary complexity to the system, and this has been removed.  If someone really wants to run Nexus without security this can be done by giving the anonymous user the Administrator role.

Custom Metadata is now Enabled/Disabled via Capability

In previous versions of Nexus the Custom Metadata Plugin shipped in "$NEXUS_HOME/nexus/WEB-INF/optional-plugins" because it can add additional overhead to large instances.  It is now shipped in the main plugin repository.  To enable it, go to "administration/capabilities" and add a new capability of type "Custom Metadata". If you were using it previously, you need to explicitly enable it after upgrade to keep using it.  Note that this is a one time requirement, the setting will persist through future upgrades.

Plexus Components Deprecated

Components in Nexus have been converted to JSR-330 and use of Plexus components have been deprecated.  Warnings will be logged on startup when Plexus components are detected.  Custom plugins should be updated as support for use of Plexus components will be removed in future version of Nexus (NEXUS-5755).

Deprecated Legacy API

Many legacy, unused, or soon to be removed API have been marked as deprecated.  These will be removed in future versions of Nexus.  Custom plugins should be updated to avoid usage of deprecated API.

Nexus Staging Maven Plugin Automatic Release

A new parameter has been added to the nexus-staging-maven-plugin, "releaseAfterClose".  When this is set the plugin will automatically release a staging repository after closing it provided that all staging rules (including CLM scans) have passed (NEXUS-5906).

Automatic Cleanup of old Build Promotion Repositories

The "Drop Inactive Staging Repositories" task has been enhanced to allow cleanup of build promotion repositories (NXCM-5226).

Enhanced UI for Tables

Most UI tables in Nexus can now support filtering of contents via UI search (NXCM-4490).

Improved Capabilities UI

Numerous improvements have been made to the capabilities UI, including the ability to group capabilities by any column (particularly useful is grouping by "category").  Also, there is a new tabbed interface which cleanly separates Summary, Settings, Status, and About (NEXUS-5940).

Nexus Branding Plugin Improvement

The Nexus Branding Plugin (which allows setting a custom banner in the UI) can now be configured via capabilities UI (NEXUS-5891). To set a custom banner in Nexus 2.7 go to "Administration/Capabilities" and add in a "Branding" capability. Previous custom banners should be detected automatically on upgrade.

Mirrors Tab Removed from Proxy Repositories

The old "mirrors" feature has been removed from proxy repositories and previous settings will be ignored (NEXUS-5789). Proxy repositories that had this configured will now fetch all artifacts, poms, metadata and checksums from the remote proxy directly.

Groovy Integration

Groovy support has been moved into the nexus-groovy-plugin and can now be used to write Nexus plugins in Groovy (NEXUS-5892). An example Nexus plugin written in groovy is our new Support plugin.

Significant Bug Fixes


  • [NEXUS-4697] - Add password text field
  • [NEXUS-5406] - [capabilities] Dynamic source for selections for combos
  • [NEXUS-5940] - Rewrite Capabilities UI
  • [NEXUS-5941] - Add support for tagging to capabilities
  • [NEXUS-6072] - Failure during capability load prevents the rest of capabilities to be loaded

CLM Integration

  • [NEXUS-6060] - CLM App Management link of profile editor leads to wrong URL
  • [NEXUS-6041] - Impossible to disable CLM from UI
  • [NEXUS-5942] - Make CLM Application ID a droplist which is populated from the CLM server
  • [NEXUS-5946] - Remove CLM config in favor of a capability
  • [NXCM-5402] - Nexus to CLM server https connections should be able to use Nexus SSL truststore

Crowd Integration

  • [NXCM-5432] - modernize Nexus Atlassian Crowd Plugin
  • [NXCM-5443] - Allow crowd plugin to use nexus private truststore for SSL certs
  • [NXCM-5499] - improve crowd configuration contextual help messages
  • [NXCM-5501] - if crowd realm is configured and active, but login does not need it, crowd server is still contacted


  • [NEXUS-5998] - Extremely inefficient mechanism used to retrieve LDAP users for notification
  • [NEXUS-6068] - Nexus problem reporting can reset ldap server bind passwords in memory to ***
  • [NEXUS-6081] - LDAP password are sent in clear text

  • [NEXUS-5870] - Provide a mechanism to allow additional LDAP environment variables to be set.
  • [NEXUS-4062] - Automatically add the LDAP security realm when user saves LDAP settings


  • [NEXUS-6085] - duplicate Nuget Api key buttons possible
  • [NXCM-5423] - Download NuGet Feed task reports success even if it receives an invalid response from remote server
  • [NXCM-5324] - Can't synchronize Nuget feed from if "fetch all versions" is checked.


  • [NEXUS-5930] - Nexus OBR shadow makes Nexus deadlock prone, while reading/writing obr.xml
  • [NEXUS-5995] - P2 repository plugin generates incorrect content.xml data for features
  • [NEXUS-5831] - [p2] serve jarred repository metadata
  • [NXCM-5431] - investigate httpclient 3.1 use in nexus-p2-bridge-plugin


  • [NEXUS-4945] - Concurrent modification exception in procurement
  • [NXCM-4752] - Artifact Procurement allows you to create repository cycles, results in stack overflow.
  • [NXCM-5409] - Newly deployed artifacts can be blocked from procurement by automatic routing
  • [NXCM-5515] - Procurment repository download fails if user does not have read privileges to source repo


  • [NEXUS-4997] - SMTP config panel uses "SSL" and "TLS" incorrectly
  • [NEXUS-2911] - Authentication error shows up as "400 bad request" during smtp validation.
  • [NEXUS-5808] - no indication at default log levels that email server configuration is broken


  • [NEXUS-5772] - File content validation broken on newer versions of Linux
  • [NEXUS-5789] - Remove proxy repository Mirrors feature
  • [NEXUS-5790] - Download speeds reduced in recent Nexus versions
  • [NEXUS-5811] - Browse remote storage incorrectly handles forced remote base url , preventing remote browse UI tree from expanding
  • [NEXUS-5838] - Repositories -> Browse Remote uses wrong URL on remote and gets HTTP/404
  • [NEXUS-5877] - Repository pop up in list has duplicate entries
  • [NEXUS-5944] - Repository is auto-blocked if "allow file browsing" is disabled on remote
  • [NEXUS-4207] - make default value of Publish URL "True" when creating a group repository
  • [NEXUS-4292] - Download button's URL should be copy-able (into mails, jira comments, ...)
  • [NEXUS-4737] - Add extra columns to the repository targets view

  • [NEXUS-5898] - Make connection request retry attempts work for connection reset exceptions
  • [NXCM-5422] - Nexus Archive Browser Plugin does not work with .bar files
  • [NXCM-4490] - Make repositories grid view filterable/searchable


  • [NEXUS-5807] - Automatic routing fails for grails repo
  • [NEXUS-6050] - Automatic routing warnings should include repository ID

Scheduled Tasks

  • [NEXUS-4580] - Empty trash task should allow specifying repositories
  • [NEXUS-5871] - Scheduled task drop down is not sorted
  • [NEXUS-5797] - Scheduled task to remove old unreleased snapshots
  • [NXCM-5226] - Add "include promoted repositories" option to staging repo cleanup task


  • [NEXUS-5798] - Out of service repositories should not be included in search results
  • [NEXUS-5814] - Nexus should not stop indexing if it encounters a jar file it cannot parse, but should report the jar location
  • [NEXUS-5817] - indexing operations which require remote repo access do not always respect blocked repo status
  • [NEXUS-5821] - Repositories view right-click menu Repair Index / Update Index items duplicated
  • [NEXUS-5799] - IndexCreators aren't ordered according to dependencies
  • [NEXUS-5909] - Move nexus-custom-metadata-plugin out of _optional-plugins_ to default installed plugins


  • [NEXUS-4219] - nexus is silent when it does not have permissions to update security.xml
  • [NEXUS-5826] - Sort the repository drop down list in "add/repository target privilege" alphabetically (without separating group repos)
  • [NEXUS-3119] - Show status (active/disbaled) of user in the list of users (in the Users panel)
  • [NEXUS-5490] - Add support for REMOTE_USER header
  • [NEXUS-5899] - Remove ability to disable security
  • [NXCM-4543] - Usertoken nameCode is leaking out into the UI

  • [NXCM-5233] - Introduce property to enable/disable session timeout from UI

Smart Proxy

  • [NEXUS-6069] - Smart Proxy: Connector capability cannot be created/updated if "Advertise" is not checked
  • [NXCM-4759] - Remove groovy, replace with javascript optional broker configuration


  • [NEXUS-5974] - Staging operation on multiple repositories does not abort properly on failure
  • [NEXUS-6078] - race: DefaultFSLocalRepositoryStorage.getBaseDir Could not create baseDir during staging repository creation
  • [NEXUS-5906] - Add "releaseAfterClose" option to the nexus-staging-maven-plugin
  • [NXCM-3969] - Closing a staging repo fails when its repo group is missing with Server ERROR 500
  • [NEXUS-6051] - Poor error handling in staging.xml validation
  • [NXCM-5065] - vague user message on NullPointerException when nexus-staging-maven-plugin missing required parameters

  • [NXCM-5306] - Staging repository dropped from build promotion profile still shows "promoted" as last activity
  • [NXCM-5403] - nexus-staging-maven-plugin does not interact well with maven-site-plugin:attach-descriptor goal

  • [NXCM-5412] - Add an rc-list goal to the nexus-staging-maven-plugin
  • [NXCM-5415] - If staging UI upload fails because a matching profile cannot be found error message is confusing/misleading
  • [NXCM-5427] - add "Demote" activity to staging repository that was demoted from a promotion group repository
  • [NXCM-5516] - Expose timeout configuration on nexus-staging-maven-plugin (and ant tasks)
  • [NXCM-5451] - staging/bundle_upload transitioning conflict during concurrent processing can cause 500 status Staging repository is already transitioning


  • [NEXUS-5405] - Group Yum metadata not regenerated when a member proxy repository metadata changes
  • [NEXUS-5806] - Group level yum metadata is incorrect
  • [NEXUS-5842] - Yum Generate Metadata Task does not expose newly deployed RPMs after first metadata generation
  • [NEXUS-5795] - Cannot browse YUM repodata directory
  • [NEXUS-5820] - If base URL is set, but not forced, yum "xml:base" picks up URL of incoming deploy requests, not the base URL of server
  • [NEXUS-5829] - inconsistency on what type of repository you can run Yum: Generate Metadata against
  • [NEXUS-5955] - Automatic routing interferes with yum repo metadata
  • [NEXUS-5956] - Old yum metadata is never cleaned up from yum proxy repository.
  • [NEXUS-5957] - Yum proxy repository metadata is not refetched if request for it comes through a group repo
  • [NEXUS-6057] - Yum merge metadata capability cause Stack Overflow when repository is put Out of Service
  • [NEXUS-5507] - Yum metadata support for staging repositories.
  • [NEXUS-5794] - Add support for specifying yum groups file


  • [NEXUS-5348] - Purge timeline task should delete old files from 'persist'
  • [NEXUS-5822] - StackOverflowError when launching Nexus 2.6.0-05 on Java 8 b100+
  • [NEXUS-5828] - Nexus 2.6 breaks upgrade from Nexus 1.9.0 and 1.9.1
  • [NEXUS-5963] - System property http.proxyHost incompatible regular expressions, server wide
  • [NEXUS-5999] - PGP key server information configuration on settings page click links to configured URL
  • [NEXUS-5306] - Nexus should lock the work directory to prevent multiple processes using it
  • [NEXUS-5584] - Implement atomic writes for all files in the conf directory.
  • [NEXUS-5755] - Remove use of Plexus components in Nexus
  • [NEXUS-5891] - Make branding plugin configurable via capabilities, remove from "optional" plugins
  • [NEXUS-5781] - remove deprecated platform specific wrapper 'nexus' scripts
  • [NEXUS-5883] - Add order column so that sorting can be restored to default order
  • [NEXUS-5907] - Remove nexus-user-account-plugin (ie. user sign up plugin)
  • [NEXUS-5908] - Move nexus-unpack-plugin out of _optional-plugins_ to default installed plugins
  • [NEXUS-5981] - Remove from list of uses SKS Keyservers
  • [NEXUS-5993] - review File.mkdirs() usage, replace with Files.createDirectory(file.toPath()); to not hide IOExceptions
  • [NEXUS-6014] - Nexus should respect X-Forwarded headers by default
  • [NEXUS-6063] - update Nexus and components to use httpclient 4.2.6 to pick up SSL and NTLM related fixes
  • [NEXUS-5892] - Add groovy provider plugin
  • [NEXUS-5989] - If "application server settings (optional) is not checked than administration/server page can't be saved.
  • [NXCM-5292] - IE9 binary license file upload fails
  • [NXCM-5404] - outreach bundle content outdated, links don't work, and/or provide duplicate material

  • [NXCM-5439] - installing valid license with later license validity dates than currently installed license does not update Nexus status
  • [NXCM-5518] - PGP server configuration UI is missing