1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
-----
Archiva Security Configuration
-----
-----
2011-09-16
-----
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
~~ NOTE: For help with the syntax of this file, see:
~~ http://maven.apache.org/guides/mini/guide-apt-format.html
Archiva Security Configuration
Security properties and password rules can be configured in the
<<<security.properties>>> file, which by default is searched for in:
* <<<~/.m2/security.properties>>>
* <<<conf/security.properties>>> in the Archiva installation
[]
(In the above list, <<<~>>> is the home directory of the user who is running
Archiva.)
~~TODO: Link to plexus-redback documentation when available
Following are some of the properties you can modify. For a complete list,
consult the default properties file in Redback's svn repo:
{{{http://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties}
config-defaults.properties}}
+-----+
# Security Policies
# -----------------
#security.policy.password.encoder=
security.policy.password.previous.count=6
security.policy.password.expiration.days=90
security.policy.password.expiration.enabled=true
security.policy.allowed.login.attempt=3
# Password Rules
# --------------
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true
# Cross Site Request Forgery (CSRF) Prevention
# --------------------------------------------
# Enable/Disable CSRF filtering.
# Possible values: true, false
rest.csrffilter.enabled=true
# Base URL used to verify the origin headers of the requests. If not set or empty
# it tries to determine the base url automatically
rest.baseUrl=
# What to do, if the request contains no Origin or Referer header.
# If true, requests without Origin or Referer Header are denied, otherwise accepted.
# Possible values: true, false
rest.csrffilter.absentorigin.deny=true
# Enable/Disable the token validation only.
# If true, the validation of the CSRF tokens will be disabled.
# Possible values: true, false
rest.csrffilter.disableTokenValidation=false
+-----+
<<Note:>> If installed standalone, Archiva's list of configuration files is <itself> configurable, and
can be found in:
<<<apps/archiva/WEB-INF/applicationContext.xml>>>
Values from sources
%{snippet|id=configuration-files-list|ignoreDownloadError=true|url=https://raw.githubusercontent.com/apache/archiva/master/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml}
|