Archiva Security Configuration

Security properties and password rules are configured now in the Redback Runtime Configuration properties (see Redback Runtime Configuration).

The Redback Runtime Configuration properties are stored in archiva.xml. The former security.properties file, if it exists, is only used once for populating the Runtime Configuration settings. After that, this file will be ignored.

These are the default properties. The file can be found in in Redback's svn repo: config-defaults.properties

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

# --------------------------------------------------------------------
# Application Configuration

application.timestamp=EEE d MMM yyyy HH:mm:ss Z

# --------------------------------------------------------------------
# JDBC Setup

#jdbc.driver.name=org.apache.derby.jdbc.EmbeddedDriver
#jdbc.url=jdbc:derby:memory:users-tests;create=true

jdbc.driver.name=org.hsqldb.jdbcDriver
jdbc.url=jdbc:hsqldb:mem:redback-test

jdbc.username=sa
jdbc.password=

# --------------------------------------------------------------------
# Email Settings

email.jndiSessionName=java:comp/env/mail/Session
email.smtp.host=localhost
email.smtp.port=25
email.smtp.ssl.enabled=false
email.smtp.tls.enabled=false
email.smtp.username=
email.smtp.password=

#TODO: move description elsewhere, remove bad default
# All emails sent by the system will be from the following address
#email.from.address=${user.name}@localhost
# All emails sent by the system will be from the following user name (used in conjunction with address)
#email.from.name=Unconfigured Username

# If all email addresses (from new user registration) require an account validation email. 
email.validation.required=true
# Timeout (in minutes) for the key generated for an email validation to remain valid.
# 2880 minutes = 48 hours
email.validation.timeout=2880
# The subject line for the email message.
email.validation.subject=Welcome

#TODO: move description elsewhere, remove bad default
# Get the Feedback to use for any outgoing emails.
# NOTE: if feedback.path starts with a "/" it is appended to the end of the value provided in application.url
# This value can be in the format/syntax of "/feedback.action" or even "mailto:feedback@application.com"
#email.feedback.path=/feedback.action

#Set the application base URL. The default is to derive it from the HTTP request
#application.url=http://myurl.mycompany.com

# --------------------------------------------------------------------
# Auto Login Settings

security.rememberme.enabled=true
# Timeout in days ( 365 days = 1 year )
security.rememberme.timeout=365
security.rememberme.path=/
security.rememberme.domain=
security.rememberme.secure=false

# Single Sign On
# Timeout in minutes
security.signon.timeout=30

# --------------------------------------------------------------------
# Default Username Values
redback.default.admin=admin
redback.default.guest=guest

# --------------------------------------------------------------------
# Security Policies

#security.policy.password.encoder=
security.policy.password.previous.count=6
security.policy.password.expiration.enabled=true
security.policy.password.expiration.days=90
security.policy.password.expiration.notify.days=10
security.policy.allowed.login.attempt=10

# turn off the perclick enforcement of various security policies, slightly
# more heavyweight since it will ensure that the User object on each click
# is up to date
security.policy.strict.enforcement.enabled=true
security.policy.strict.force.password.change.enabled=true

# --------------------------------------------------------------------
# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=24
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true

# --------------------------------------------------------------------
# ldap settings
#
ldap.bind.authenticator.enabled=false

# ldap options for configuration via properties file
#ldap.config.hostname=
#ldap.config.port=
#ldap.config.base.dn=
#ldap.config.context.factory=
#ldap.config.bind.dn=
#ldap.config.password=
#ldap.config.authentication.method=

# config parameter for the ConfigurableUserManager
user.manager.impl=jdo


# REST security settings

# Cross Site Request Forgery (CSRF) Prevention
# --------------------------------------------
# Enable/Disable CSRF filtering.
# Possible values: true, false
rest.csrffilter.enabled=true
# Base URL used to verify the origin headers of the requests. If not set or empty
# it tries to determine the base url automatically
rest.baseUrl=
# What to do, if the request contains no Origin or Referer header.
# If true, requests without Origin or Referer Header are denied, otherwise accepted.
# Possible values: true, false
rest.csrffilter.absentorigin.deny=true
# Enable/Disable the token validation only.
# If true, the validation of the CSRF tokens will be disabled.
# Possible values: true, false
rest.csrffilter.disableTokenValidation=false

Note: If installed standalone, Archiva's list of configuration files is itself configurable, and can be found in: apps/archiva/WEB-INF/applicationContext.xml

Values from sources

<bean name="commons-configuration" class="org.apache.archiva.redback.components.registry.commons.CommonsConfigurationRegistry"
  init-method="initialize">
  <property name="properties">
    <value>
      <![CDATA[
      <configuration>
        <system/>
        <jndi prefix="java:comp/env" config-optional="true"/>
        <xml fileName="${user.home}/.m2/archiva.xml" config-optional="true"
             config-name="org.apache.archiva.user"
             config-at="org.apache.archiva"/>
        <xml fileName="${user.home}/.m2/shared.xml" config-optional="true"
             config-name="org.apache.maven.shared.app.user" config-at="org.apache.maven.shared.app"
             config-forceCreate="true"/>
        <properties fileName="${user.home}/.m2/security.properties" config-optional="true"
                    config-at="org.apache.archiva.redback"/>
        <properties fileName="${user.home}/.m2/archiva.properties" config-optional="true"
                    config-at="org.apache.archiva.redback"/>
        <xml fileName="${appserver.base}/conf/archiva.xml" config-optional="true"
             config-name="org.apache.archiva.base"
             config-at="org.apache.archiva"/>
        <xml fileName="${appserver.base}/conf/shared.xml" config-optional="true"
             config-name="org.apache.maven.shared.app.base" config-at="org.apache.maven.shared.app"/>
        <xml fileName="${appserver.base}/conf/common.xml" config-optional="true"/>
        <properties fileName="${appserver.base}/conf/security.properties" config-optional="true"
                    config-at="org.apache.archiva.redback"/>
        <xml fileName="${appserver.home}/conf/archiva.xml" config-optional="true"
             config-at="org.apache.archiva"/>
        <xml fileName="${appserver.home}/conf/shared.xml" config-optional="true"
             config-at="org.apache.maven.shared.app"/>
        <xml fileName="${appserver.home}/conf/common.xml" config-optional="true"/>
        <properties fileName="${appserver.home}/conf/security.properties" config-optional="true"
                    config-at="org.apache.archiva.redback"/>
        <properties fileName="org/apache/archiva/redback-security.properties" config-at="org.apache.archiva.redback"/>
      </configuration>
      ]]>
    </value>
  </property>    
</bean>