Security properties and password rules can be configured in the security.properties file, which by default is searched for in:
(In the above list, ~ is the home directory of the user who is running Archiva.)
Following are some of the properties you can modify. For a complete list, consult the default properties file in Redback's svn repo: config-defaults.properties
# Security Policies #security.policy.password.encoder= security.policy.password.previous.count=6 security.policy.password.expiration.days=90 security.policy.allowed.login.attempt=3 # Password Rules security.policy.password.rule.alphanumeric.enabled=false security.policy.password.rule.alphacount.enabled=true security.policy.password.rule.alphacount.minimum=1 security.policy.password.rule.characterlength.enabled=true security.policy.password.rule.characterlength.minimum=1 security.policy.password.rule.characterlength.maximum=8 security.policy.password.rule.musthave.enabled=true security.policy.password.rule.numericalcount.enabled=true security.policy.password.rule.numericalcount.minimum=1 security.policy.password.rule.reuse.enabled=true security.policy.password.rule.nowhitespace.enabled=true
Note: If installed standalone, Archiva's list of configuration files is itself configurable, and can be found in: apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml
To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current site.
Note: This is only a generic solution that may prevent some types of attacks but not others. It may cause problems with certain user agents. By default, the check is off.
To enable the check, change the following configuration value in the struts.xml file in the WEB-INF/classes directory of the web application (2 locations):
<interceptor-ref name="redbackSecureActions"> <param name="enableReferrerCheck">false</param> </interceptor-ref>