aboutsummaryrefslogtreecommitdiffstats
path: root/archiva-docs/src/site/apt/adminguide/customising-security.apt
blob: d42c2275c389b957ca4f75fd9e374af92355f216 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 -----
 Archiva Security Configuration
 -----
 -----
 2011-09-16
 -----

~~ Licensed to the Apache Software Foundation (ASF) under one                      
~~ or more contributor license agreements.  See the NOTICE file                    
~~ distributed with this work for additional information                           
~~ regarding copyright ownership.  The ASF licenses this file                      
~~ to you under the Apache License, Version 2.0 (the                               
~~ "License"); you may not use this file except in compliance                      
~~ with the License.  You may obtain a copy of the License at                      
~~                                                                                 
~~   http://www.apache.org/licenses/LICENSE-2.0                                    
~~                                                                                 
~~ Unless required by applicable law or agreed to in writing,                      
~~ software distributed under the License is distributed on an                     
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY                          
~~ KIND, either express or implied.  See the License for the                       
~~ specific language governing permissions and limitations                         
~~ under the License.

~~ NOTE: For help with the syntax of this file, see:
~~ http://maven.apache.org/guides/mini/guide-apt-format.html

Archiva Security Configuration

 Security properties and password rules can be configured in the
 <<<security.properties>>> file, which by default is searched for in:

   * <<<~/.m2/security.properties>>>
  
   * <<<conf/security.properties>>> in the Archiva installation

   []

 (In the above list, <<<~>>> is the home directory of the user who is running
 Archiva.)

~~TODO: Link to plexus-redback documentation when available

 Following are some of the properties you can modify.  For a complete list,
 consult the default properties file in Redback's svn repo:
 {{{http://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties}
 config-defaults.properties}}

+-----+
# Security Policies
# -----------------
#security.policy.password.encoder=
security.policy.password.previous.count=6
security.policy.password.expiration.days=90
security.policy.password.expiration.enabled=true
security.policy.allowed.login.attempt=3

# Password Rules
# --------------
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true

# Cross Site Request Forgery (CSRF) Prevention
# --------------------------------------------
# Enable/Disable CSRF filtering.
# Possible values: true, false
rest.csrffilter.enabled=true
# Base URL used to verify the origin headers of the requests. If not set or empty
# it tries to determine the base url automatically
rest.baseUrl=
# What to do, if the request contains no Origin or Referer header.
# If true, requests without Origin or Referer Header are denied, otherwise accepted.
# Possible values: true, false
rest.csrffilter.absentorigin.deny=true
# Enable/Disable the token validation only.
# If true, the validation of the CSRF tokens will be disabled.
# Possible values: true, false
rest.csrffilter.disableTokenValidation=false
+-----+
 
  <<Note:>> If installed standalone, Archiva's list of configuration files is <itself> configurable, and
  can be found in:
  <<<apps/archiva/WEB-INF/applicationContext.xml>>>

  Values from sources

%{snippet|id=configuration-files-list|ignoreDownloadError=true|url=https://raw.githubusercontent.com/apache/archiva/master/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml}