docs/1.3.9/adminguide/customising-security.html - archiva-web-content - Git at Google

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


 <html>
   <head>
     <title>Archiva Documentation - Archiva Security Configuration</title>
     <style type="text/css" media="all">
       @import url("../css/maven-base.css");
       @import url("../css/maven-theme.css");
       @import url("../css/site.css");
     </style>
     <link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
         <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
                             <?xml version="1.0" encoding="UTF-8"?>
 <script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
 document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script>
                                 <?xml version="1.0" encoding="UTF-8"?>
 <script type="text/javascript">var pageTracker = _gat._getTracker("UA-140879-5");
 pageTracker._initData();
 pageTracker._trackPageview();</script>
                     </head>
   <body class="composite">
     <div id="banner">
                   <a href="../../" id="bannerLeft">

                                     <img src="http://archiva.apache.org/images/archiva.png" alt="" />

             </a>
                         <a href="http://www.apache.org/" id="bannerRight">

                                     <img src="http://www.apache.org/images/asf_logo_wide.png" alt="" />

             </a>
             <div class="clear">
         <hr/>
       </div>
     </div>
     <div id="breadcrumbs">


             <div class="xleft">

           <a href="http://www.apache.org/">Apache</a>
               &gt;

           <a href="../../../">Archiva</a>
               &gt;

           <a href="../index.html">1.3.9</a>
                 </div>
             <div class="xright">


             &nbsp;| Last Published: 01 Jul 2014
             </div>
       <div class="clear">
         <hr/>
       </div>
     </div>
     <div id="leftColumn">
       <div id="navcolumn">


                    <h5>Introduction</h5>
         <ul>

     <li class="none">
               <a href="../quick-start.html">Quick Start</a>
         </li>

     <li class="none">
               <a href="../tour/index.html">Feature Tour</a>
         </li>

     <li class="none">
               <a href="../release-notes.html">Release Notes</a>
         </li>

     <li class="none">
               <a href="http://archiva.apache.org/download.html">Downloads</a>
         </li>
           </ul>
           <h5>Users Guide</h5>
         <ul>

     <li class="none">
               <a href="../userguide/browsing.html">Browsing</a>
         </li>

     <li class="none">
               <a href="../userguide/searching.html">Searching</a>
         </li>

     <li class="none">
               <a href="../userguide/find-artifact.html">Identifying an Artifact</a>
         </li>

     <li class="none">
               <a href="../userguide/delete-artifact.html">Deleting an Artifact</a>
         </li>

     <li class="none">
               <a href="../userguide/using-repository.html">Using as a repository</a>
         </li>

     <li class="none">
               <a href="../userguide/deploy.html">Deploying to repository</a>
         </li>

     <li class="none">
               <a href="../userguide/virtual-repositories.html">Configuring Virtual Repositories</a>
         </li>

     <li class="none">
               <a href="../userguide/rss.html">Rss Feeds in Archiva</a>
         </li>

     <li class="none">
               <a href="../userguide/auditlog-report.html">Audit Log Report</a>
         </li>
           </ul>
           <h5>Administrators Guide</h5>
         <ul>


         <li class="collapsed">
               <a href="../adminguide/installing.html">Installing Archiva</a>
               </li>

     <li class="none">
               <a href="../adminguide/databases.html">Databases</a>
         </li>


             <li class="expanded">
               <a href="../adminguide/security.html">Security</a>
                 <ul>

     <li class="none">
               <a href="../adminguide/roles.html">Roles</a>
         </li>

     <li class="none">
               <strong>Customising</strong>
         </li>
               </ul>
         </li>


         <li class="collapsed">
               <a href="../adminguide/configuration.html">Runtime Configuration</a>
               </li>

     <li class="none">
               <a href="../adminguide/configuration-files.html">Configuration Files</a>
         </li>


         <li class="collapsed">
               <a href="../adminguide/logging.html">Log Files</a>
               </li>

     <li class="none">
               <a href="../adminguide/reports.html">Reports</a>
         </li>

     <li class="none">
               <a href="../adminguide/web-services.html">Web Services</a>
         </li>
           </ul>
           <h5>Customising Archiva</h5>
         <ul>

     <li class="none">
               <a href="../customising/writing-consumer.html">Writing a Consumer Plugin</a>
         </li>
           </ul>
           <h5>More Information</h5>
         <ul>

     <li class="none">
               <a href="http://cwiki.apache.org/confluence/display/ARCHIVA/Index">Archiva Wiki</a>
         </li>
           </ul>
                                        <a href="http://maven.apache.org/" title="Built by Maven" id="poweredBy">
             <img alt="Built by Maven" src="../images/logos/maven-feather.png"></img>
           </a>


         </div>
     </div>
     <div id="bodyColumn">
       <div id="contentBox">
         <div class="section"><h2>Archiva Security Configuration</h2><p>Security properties and password rules can be configured in the <tt>security.properties</tt> file, which by default is searched for in:</p><ul><li><tt>~/.m2/security.properties</tt></li><li><tt>conf/security.properties</tt> in the Archiva installation</li></ul><p>(In the above list, <tt>~</tt> is the home directory of the user who is running Archiva.)</p><p>Following are some of the properties you can modify. For a complete list, consult the default properties file in Redback's svn repo: <a href="http://svn.codehaus.org/redback/redback/trunk/redback-configuration/src/main/resources/org/codehaus/plexus/redback/config-defaults.properties"> config-defaults.properties</a></p><div class="source"><pre># Security Policies
 #security.policy.password.encoder=
 security.policy.password.previous.count=6
 security.policy.password.expiration.days=90
 security.policy.allowed.login.attempt=3

 # Password Rules
 security.policy.password.rule.alphanumeric.enabled=false
 security.policy.password.rule.alphacount.enabled=true
 security.policy.password.rule.alphacount.minimum=1
 security.policy.password.rule.characterlength.enabled=true
 security.policy.password.rule.characterlength.minimum=1
 security.policy.password.rule.characterlength.maximum=8
 security.policy.password.rule.musthave.enabled=true
 security.policy.password.rule.numericalcount.enabled=true
 security.policy.password.rule.numericalcount.minimum=1
 security.policy.password.rule.reuse.enabled=true
 security.policy.password.rule.nowhitespace.enabled=true</pre></div><p><b>Note:</b> If installed standalone, Archiva's list of configuration files is <i>itself</i> configurable, and can be found in: <tt>apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml</tt></p><div class="section"><h3>Additional CSRF Prevention</h3><p>To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current site.</p><p><i>Note:</i> This is only a generic solution that may prevent some types of attacks but not others. It may cause problems with certain user agents. By default, the check is off.</p><p>To enable the check, change the following configuration value in the <tt>struts.xml</tt> file in the <tt>WEB-INF/classes</tt> directory of the web application (2 locations):</p><div class="source"><pre>&lt;interceptor-ref name=&quot;redbackSecureActions&quot;&gt;
   &lt;param name=&quot;enableReferrerCheck&quot;&gt;false&lt;/param&gt;
 &lt;/interceptor-ref&gt;</pre></div></div></div>
       </div>
     </div>
     <div class="clear">
       <hr/>
     </div>
     <div id="footer">
       <div class="xright">&#169;
           2006-2014

           The Apache Software Foundation


   </div>
       <div class="clear">
         <hr/>
       </div>
     </div>
   </body>
 </html>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">










	<html>
	<head>
	<title>Archiva Documentation - Archiva Security Configuration</title>
	<style type="text/css" media="all">
	@import url("../css/maven-base.css");
	@import url("../css/maven-theme.css");
	@import url("../css/site.css");
	</style>
	<link rel="stylesheet" href="../css/print.css" type="text/css" media="print" />
	<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
	<?xml version="1.0" encoding="UTF-8"?>
	<script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
	document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script>
	<?xml version="1.0" encoding="UTF-8"?>
	<script type="text/javascript">var pageTracker = _gat._getTracker("UA-140879-5");
	pageTracker._initData();
	pageTracker._trackPageview();</script>
	</head>
	<body class="composite">
	<div id="banner">
	<a href="../../" id="bannerLeft">

	<img src="http://archiva.apache.org/images/archiva.png" alt="" />

	</a>
	<a href="http://www.apache.org/" id="bannerRight">

	<img src="http://www.apache.org/images/asf_logo_wide.png" alt="" />

	</a>
	<div class="clear">
	<hr/>
	</div>
	</div>
	<div id="breadcrumbs">







	<div class="xleft">

	<a href="http://www.apache.org/">Apache</a>
	>

	<a href="../../../">Archiva</a>
	>

	<a href="../index.html">1.3.9</a>
	</div>
	<div class="xright">






	\| Last Published: 01 Jul 2014
	</div>
	<div class="clear">
	<hr/>
	</div>
	</div>
	<div id="leftColumn">
	<div id="navcolumn">







	<h5>Introduction</h5>
	<ul>

	<li class="none">
	<a href="../quick-start.html">Quick Start</a>
	</li>

	<li class="none">
	<a href="../tour/index.html">Feature Tour</a>
	</li>

	<li class="none">
	<a href="../release-notes.html">Release Notes</a>
	</li>

	<li class="none">
	<a href="http://archiva.apache.org/download.html">Downloads</a>
	</li>
	</ul>
	<h5>Users Guide</h5>
	<ul>

	<li class="none">
	<a href="../userguide/browsing.html">Browsing</a>
	</li>

	<li class="none">
	<a href="../userguide/searching.html">Searching</a>
	</li>

	<li class="none">
	<a href="../userguide/find-artifact.html">Identifying an Artifact</a>
	</li>

	<li class="none">
	<a href="../userguide/delete-artifact.html">Deleting an Artifact</a>
	</li>

	<li class="none">
	<a href="../userguide/using-repository.html">Using as a repository</a>
	</li>

	<li class="none">
	<a href="../userguide/deploy.html">Deploying to repository</a>
	</li>

	<li class="none">
	<a href="../userguide/virtual-repositories.html">Configuring Virtual Repositories</a>
	</li>

	<li class="none">
	<a href="../userguide/rss.html">Rss Feeds in Archiva</a>
	</li>

	<li class="none">
	<a href="../userguide/auditlog-report.html">Audit Log Report</a>
	</li>
	</ul>
	<h5>Administrators Guide</h5>
	<ul>









	<li class="collapsed">
	<a href="../adminguide/installing.html">Installing Archiva</a>
	</li>

	<li class="none">
	<a href="../adminguide/databases.html">Databases</a>
	</li>







	<li class="expanded">
	<a href="../adminguide/security.html">Security</a>
	<ul>

	<li class="none">
	<a href="../adminguide/roles.html">Roles</a>
	</li>

	<li class="none">
	<strong>Customising</strong>
	</li>
	</ul>
	</li>













	<li class="collapsed">
	<a href="../adminguide/configuration.html">Runtime Configuration</a>
	</li>

	<li class="none">
	<a href="../adminguide/configuration-files.html">Configuration Files</a>
	</li>









	<li class="collapsed">
	<a href="../adminguide/logging.html">Log Files</a>
	</li>

	<li class="none">
	<a href="../adminguide/reports.html">Reports</a>
	</li>

	<li class="none">
	<a href="../adminguide/web-services.html">Web Services</a>
	</li>
	</ul>
	<h5>Customising Archiva</h5>
	<ul>

	<li class="none">
	<a href="../customising/writing-consumer.html">Writing a Consumer Plugin</a>
	</li>
	</ul>
	<h5>More Information</h5>
	<ul>

	<li class="none">
	<a href="http://cwiki.apache.org/confluence/display/ARCHIVA/Index">Archiva Wiki</a>
	</li>
	</ul>
	<a href="http://maven.apache.org/" title="Built by Maven" id="poweredBy">
	<img alt="Built by Maven" src="../images/logos/maven-feather.png"></img>
	</a>







	</div>
	</div>
	<div id="bodyColumn">
	<div id="contentBox">
	<div class="section"><h2>Archiva Security Configuration</h2><p>Security properties and password rules can be configured in the <tt>security.properties</tt> file, which by default is searched for in:</p><ul><li><tt>~/.m2/security.properties</tt></li><li><tt>conf/security.properties</tt> in the Archiva installation</li></ul><p>(In the above list, <tt>~</tt> is the home directory of the user who is running Archiva.)</p><p>Following are some of the properties you can modify. For a complete list, consult the default properties file in Redback's svn repo: <a href="http://svn.codehaus.org/redback/redback/trunk/redback-configuration/src/main/resources/org/codehaus/plexus/redback/config-defaults.properties"> config-defaults.properties</a></p><div class="source"><pre># Security Policies
	#security.policy.password.encoder=
	security.policy.password.previous.count=6
	security.policy.password.expiration.days=90
	security.policy.allowed.login.attempt=3

	# Password Rules
	security.policy.password.rule.alphanumeric.enabled=false
	security.policy.password.rule.alphacount.enabled=true
	security.policy.password.rule.alphacount.minimum=1
	security.policy.password.rule.characterlength.enabled=true
	security.policy.password.rule.characterlength.minimum=1
	security.policy.password.rule.characterlength.maximum=8
	security.policy.password.rule.musthave.enabled=true
	security.policy.password.rule.numericalcount.enabled=true
	security.policy.password.rule.numericalcount.minimum=1
	security.policy.password.rule.reuse.enabled=true
	security.policy.password.rule.nowhitespace.enabled=true</pre></div><p><b>Note:</b> If installed standalone, Archiva's list of configuration files is <i>itself</i> configurable, and can be found in: <tt>apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml</tt></p><div class="section"><h3>Additional CSRF Prevention</h3><p>To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current site.</p><p><i>Note:</i> This is only a generic solution that may prevent some types of attacks but not others. It may cause problems with certain user agents. By default, the check is off.</p><p>To enable the check, change the following configuration value in the <tt>struts.xml</tt> file in the <tt>WEB-INF/classes</tt> directory of the web application (2 locations):</p><div class="source"><pre><interceptor-ref name="redbackSecureActions">
	<param name="enableReferrerCheck">false</param>
	</interceptor-ref></pre></div></div></div>
	</div>
	</div>
	<div class="clear">
	<hr/>
	</div>
	<div id="footer">
	<div class="xright">©
	2006-2014

	The Apache Software Foundation







	</div>
	<div class="clear">
	<hr/>
	</div>
	</div>
	</body>
	</html>