archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: Default Password Controls in Archiva ( MRM-229 / MRM-225 )
Date Wed, 20 Jun 2007 23:50:58 GMT
The only one I'd change is the maximum. I don't really understand the  
usefulness of that and it's hit me a couple of times.

- Brett

On 18/06/2007, at 8:12 PM, Joakim Erdfelt wrote:

> There has been some controversy on the closing of MRM-229 and MRM-225,
> I feel that they should remain closed.
>
> The defaults that you see here are not archiva specific, and are  
> the same
> defaults you see in all other redback applications (including  
> continuum)
>
> The fact that you can change these by adding them to one of the  
> following
> user controlled files should be enough ...
>
> ${user.home}/.m2/security.properties
> ${user.home}/.m2/archiva.properties
> ${appserver.base}/conf/security.properties
> ${appserver.home}/conf/security.properties
>
> The defaults are sane to some people, and not sane to others.
> If we can't agree to a set of defaults for Archiva by Thursday  
> morning,
> then the above defaults stick, and the work for this should sit on the
> redback UI side for easy reconfigurability.
>
> Yes, before you start arguing about me closing them as won't fix ...
> Yes, I am taking an iron fist approach to jiras MRM-229 and MRM-225.
> If you wanted them changed, you should have commented in the jiras  
> sooner. Those jiras were open for 6 months, noone offered any  
> suggestions on values,
> and the ability to change them without a recompile exists. In my  
> world, that means there is no problem.
>
> Onto the technical details ...
>
> In Archiva we use redback for our security.
> It has several ways to enforce password complexity (uniformly)  
> across all password proposals.
>
> First, lets look at what can be changed.
> ( list from http://maven.apache.org/archiva/guides/security- 
> configuration.html )
>
> security.policy.allowed.login.attempt=3
>  This is a policy setting that allows for only 3 login
>  attempts before the account is locked out.
>  Currently set to 3 attempts.
>
> security.policy.password.previous.count=6
>  This sets the total number of previous passwords to record.
> security.policy.password.rule.reuse.enabled=true
>  This sets the password rule on reuse, preventing reusing any
>  of the previous passwords on the account.
>  Currently turned on, and will check the previous password
>  list for the last 6 passwords.
>
> security.policy.password.expiration.days=90
>  This sets the total amount of time a password is valid,
>  in days.  Forcing the user to change their password when
>  this interval is up.
>  Currently set for 90 day password expiration.
>
> security.policy.password.rule.alphanumeric.enabled=false
>  Password rule that ensures the password is a mix of
>  alpha and numeric characters.
>  Currently turned off
>
> security.policy.password.rule.alphacount.enabled=true
> security.policy.password.rule.alphacount.minimum=1
>  Password rule that ensure the password contains a minimum
>  number of alphabetic (a-zA-Z) characters.
>  Currently turned on and requires 1 alphabetic character
>  to exist in the proposed password.
>
> security.policy.password.rule.numericalcount.enabled=true
> security.policy.password.rule.numericalcount.minimum=1
>  Password rule that ensure the password contains a minimum
>  number of numerical (0-9) characters.
>  Currently turned on and requires 1 numerical character
>  to exist in the proposed password.
>
> security.policy.password.rule.characterlength.enabled=true
> security.policy.password.rule.characterlength.minimum=1
> security.policy.password.rule.characterlength.maximum=8
>  Password rule that ensure the password character
>  length is within a specific character length.
>  Currently turned on and requires a password to be
>  between 1 and 8 characters in length.
>  (Can be any combination of alpha or numeric)
>
>
> security.policy.password.rule.musthave.enabled=true
>  Simple password rule that ensure that the password proposal
>  contains some, any content.
>  Currently turned on. (Similar in scope to characterlength rule)
>
> security.policy.password.rule.nowhitespace.enabled=true
>  Password rule that ensure that there are no whitespace characters
>  present in the proposed password.
>  Currently turned on.
>
> -- 
> - Joakim Erdfelt
>  joakim@erdfelt.com
>  Open Source Software (OSS) Developer

Mime
View raw message