archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joakim Erdfelt <joa...@erdfelt.com>
Subject Default Password Controls in Archiva ( MRM-229 / MRM-225 )
Date Mon, 18 Jun 2007 10:12:55 GMT
There has been some controversy on the closing of MRM-229 and MRM-225,
I feel that they should remain closed.

The defaults that you see here are not archiva specific, and are the same
defaults you see in all other redback applications (including continuum)

The fact that you can change these by adding them to one of the following
user controlled files should be enough ...

${user.home}/.m2/security.properties
${user.home}/.m2/archiva.properties
${appserver.base}/conf/security.properties
${appserver.home}/conf/security.properties

The defaults are sane to some people, and not sane to others.
If we can't agree to a set of defaults for Archiva by Thursday morning,
then the above defaults stick, and the work for this should sit on the
redback UI side for easy reconfigurability.

Yes, before you start arguing about me closing them as won't fix ...
Yes, I am taking an iron fist approach to jiras MRM-229 and MRM-225. 

If you wanted them changed, you should have commented in the jiras sooner. 
Those jiras were open for 6 months, noone offered any suggestions on 
values,
and the ability to change them without a recompile exists. 
In my world, that means there is no problem.

Onto the technical details ...

In Archiva we use redback for our security.
It has several ways to enforce password complexity (uniformly) across 
all password proposals.

First, lets look at what can be changed.
( list from 
http://maven.apache.org/archiva/guides/security-configuration.html )

security.policy.allowed.login.attempt=3
  This is a policy setting that allows for only 3 login
  attempts before the account is locked out.
  Currently set to 3 attempts.

security.policy.password.previous.count=6
  This sets the total number of previous passwords to record.
security.policy.password.rule.reuse.enabled=true
  This sets the password rule on reuse, preventing reusing any
  of the previous passwords on the account.
  Currently turned on, and will check the previous password
  list for the last 6 passwords.

security.policy.password.expiration.days=90
  This sets the total amount of time a password is valid,
  in days.  Forcing the user to change their password when
  this interval is up.
  Currently set for 90 day password expiration.

security.policy.password.rule.alphanumeric.enabled=false
  Password rule that ensures the password is a mix of
  alpha and numeric characters.
  Currently turned off

security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
  Password rule that ensure the password contains a minimum
  number of alphabetic (a-zA-Z) characters.
  Currently turned on and requires 1 alphabetic character
  to exist in the proposed password.

security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
  Password rule that ensure the password contains a minimum
  number of numerical (0-9) characters.
  Currently turned on and requires 1 numerical character
  to exist in the proposed password.

security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
  Password rule that ensure the password character
  length is within a specific character length.
  Currently turned on and requires a password to be
  between 1 and 8 characters in length.
  (Can be any combination of alpha or numeric)


security.policy.password.rule.musthave.enabled=true
  Simple password rule that ensure that the password proposal
  contains some, any content.
  Currently turned on. (Similar in scope to characterlength rule)

security.policy.password.rule.nowhitespace.enabled=true
  Password rule that ensure that there are no whitespace characters
  present in the proposed password.
  Currently turned on.

-- 
- Joakim Erdfelt
  joakim@erdfelt.com
  Open Source Software (OSS) Developer


Mime
View raw message