Google Git
Sign in
apache / archiva / e80c3cd5293ac10e7298def6c8009b2f389d1644 / . / archiva-docs / src / site / apt / adminguide / customising-security.apt
blob: d42c2275c389b957ca4f75fd9e374af92355f216 [file] [log] [blame]
-----
Archiva Security Configuration
-----
-----
2011-09-16
-----
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
~~ NOTE: For help with the syntax of this file, see:
~~ http://maven.apache.org/guides/mini/guide-apt-format.html
Archiva Security Configuration
Security properties and password rules can be configured in the
<<<security.properties>>> file, which by default is searched for in:
* <<<~/.m2/security.properties>>>
* <<<conf/security.properties>>> in the Archiva installation
[]
(In the above list, <<<~>>> is the home directory of the user who is running
Archiva.)
~~TODO: Link to plexus-redback documentation when available
Following are some of the properties you can modify. For a complete list,
consult the default properties file in Redback's svn repo:
{{{http://svn.apache.org/repos/asf/archiva/redback/redback-core/trunk/redback-configuration/src/main/resources/org/apache/archiva/redback/config-defaults.properties}
config-defaults.properties}}
+-----+
# Security Policies
# -----------------
#security.policy.password.encoder=
security.policy.password.previous.count=6
security.policy.password.expiration.days=90
security.policy.password.expiration.enabled=true
security.policy.allowed.login.attempt=3
# Password Rules
# --------------
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true
# Cross Site Request Forgery (CSRF) Prevention
# --------------------------------------------
# Enable/Disable CSRF filtering.
# Possible values: true, false
rest.csrffilter.enabled=true
# Base URL used to verify the origin headers of the requests. If not set or empty
# it tries to determine the base url automatically
rest.baseUrl=
# What to do, if the request contains no Origin or Referer header.
# If true, requests without Origin or Referer Header are denied, otherwise accepted.
# Possible values: true, false
rest.csrffilter.absentorigin.deny=true
# Enable/Disable the token validation only.
# If true, the validation of the CSRF tokens will be disabled.
# Possible values: true, false
rest.csrffilter.disableTokenValidation=false
+-----+
<<Note:>> If installed standalone, Archiva's list of configuration files is <itself> configurable, and
can be found in:
<<<apps/archiva/WEB-INF/applicationContext.xml>>>
Values from sources
%{snippet|id=configuration-files-list|ignoreDownloadError=true|url=https://raw.githubusercontent.com/apache/archiva/master/archiva-modules/archiva-web/archiva-webapp/src/main/webapp/WEB-INF/applicationContext.xml}