Security properties and password rules are configured now in the Redback Runtime Configuration properties (see Redback Runtime Configuration).
The Redback Runtime Configuration properties are stored in archiva.xml. The former security.properties file, if it exists, is only used once for populating the Runtime Configuration settings. After that, this file will be ignored.
These are the default properties. The file can be found in in Redback's svn repo: config-defaults.properties
# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # -------------------------------------------------------------------- # Application Configuration application.timestamp=EEE d MMM yyyy HH:mm:ss Z # -------------------------------------------------------------------- # JDBC Setup #jdbc.driver.name=org.apache.derby.jdbc.EmbeddedDriver #jdbc.url=jdbc:derby:memory:users-tests;create=true jdbc.driver.name=org.hsqldb.jdbcDriver jdbc.url=jdbc:hsqldb:mem:redback-test jdbc.username=sa jdbc.password= # -------------------------------------------------------------------- # Email Settings email.jndiSessionName=java:comp/env/mail/Session email.smtp.host=localhost email.smtp.port=25 email.smtp.ssl.enabled=false email.smtp.tls.enabled=false email.smtp.username= email.smtp.password= #TODO: move description elsewhere, remove bad default # All emails sent by the system will be from the following address #email.from.address=${user.name}@localhost # All emails sent by the system will be from the following user name (used in conjunction with address) #email.from.name=Unconfigured Username # If all email addresses (from new user registration) require an account validation email. email.validation.required=true # Timeout (in minutes) for the key generated for an email validation to remain valid. # 2880 minutes = 48 hours email.validation.timeout=2880 # The subject line for the email message. email.validation.subject=Welcome #TODO: move description elsewhere, remove bad default # Get the Feedback to use for any outgoing emails. # NOTE: if feedback.path starts with a "/" it is appended to the end of the value provided in application.url # This value can be in the format/syntax of "/feedback.action" or even "mailto:feedback@application.com" #email.feedback.path=/feedback.action #Set the application base URL. The default is to derive it from the HTTP request #application.url=http://myurl.mycompany.com # -------------------------------------------------------------------- # Auto Login Settings security.rememberme.enabled=true # Timeout in days ( 365 days = 1 year ) security.rememberme.timeout=365 security.rememberme.path=/ security.rememberme.domain= security.rememberme.secure=false # Single Sign On # Timeout in minutes security.signon.timeout=30 # -------------------------------------------------------------------- # Default Username Values redback.default.admin=admin redback.default.guest=guest # -------------------------------------------------------------------- # Security Policies #security.policy.password.encoder= security.policy.password.previous.count=6 security.policy.password.expiration.enabled=true security.policy.password.expiration.days=90 security.policy.password.expiration.notify.days=10 security.policy.allowed.login.attempt=10 # turn off the perclick enforcement of various security policies, slightly # more heavyweight since it will ensure that the User object on each click # is up to date security.policy.strict.enforcement.enabled=true security.policy.strict.force.password.change.enabled=true # -------------------------------------------------------------------- # Password Rules security.policy.password.rule.alphanumeric.enabled=false security.policy.password.rule.alphacount.enabled=true security.policy.password.rule.alphacount.minimum=1 security.policy.password.rule.characterlength.enabled=true security.policy.password.rule.characterlength.minimum=1 security.policy.password.rule.characterlength.maximum=24 security.policy.password.rule.musthave.enabled=true security.policy.password.rule.numericalcount.enabled=true security.policy.password.rule.numericalcount.minimum=1 security.policy.password.rule.reuse.enabled=true security.policy.password.rule.nowhitespace.enabled=true # -------------------------------------------------------------------- # ldap settings # ldap.bind.authenticator.enabled=false # ldap options for configuration via properties file #ldap.config.hostname= #ldap.config.port= #ldap.config.base.dn= #ldap.config.context.factory= #ldap.config.bind.dn= #ldap.config.password= #ldap.config.authentication.method= # config parameter for the ConfigurableUserManager user.manager.impl=jpa # REST security settings # Cross Site Request Forgery (CSRF) Prevention # -------------------------------------------- # Enable/Disable CSRF filtering. # Possible values: true, false rest.csrffilter.enabled=true # Base URL used to verify the origin headers of the requests. If not set or empty # it tries to determine the base url automatically rest.baseUrl= # What to do, if the request contains no Origin or Referer header. # If true, requests without Origin or Referer Header are denied, otherwise accepted. # Possible values: true, false rest.csrffilter.absentorigin.deny=true # Enable/Disable the token validation only. # If true, the validation of the CSRF tokens will be disabled. # Possible values: true, false rest.csrffilter.disableTokenValidation=false # Configuration for JWT authentication authentication.jwt.keystoreType=memory authentication.jwt.signatureAlgorithm=HS384 authentication.jwt.keyfile=jwt-key.xml authentication.jwt.maxInMemoryKeys=5
Note: If installed standalone, Archiva's list of configuration files is itself configurable, and can be found in: apps/archiva/WEB-INF/applicationContext.xml
Values from sources
<bean name="commons-configuration" class="org.apache.archiva.components.registry.commons.CommonsConfigurationRegistry" init-method="initialize"> <property name="initialConfiguration"> <value> <![CDATA[ <configuration> <system/> <jndi prefix="java:comp/env" config-optional="true"/> <xml fileName="${appserver.base}/conf/archiva.xml" config-optional="true" config-name="org.apache.archiva.base" config-at="org.apache.archiva"/> <xml fileName="${appserver.base}/conf/shared.xml" config-optional="true" config-name="org.apache.maven.shared.app.base" config-at="org.apache.maven.shared.app"/> <xml fileName="${appserver.base}/conf/common.xml" config-optional="true"/> <properties fileName="${appserver.base}/conf/security.properties" config-optional="true" config-at="org.apache.archiva.redback"/> <xml fileName="${appserver.home}/conf/archiva.xml" config-optional="true" config-at="org.apache.archiva"/> <xml fileName="${appserver.home}/conf/shared.xml" config-optional="true" config-at="org.apache.maven.shared.app"/> <xml fileName="${appserver.home}/conf/common.xml" config-optional="true"/> <properties fileName="${appserver.home}/conf/security.properties" config-optional="true" config-at="org.apache.archiva.redback"/> <properties fileName="org/apache/archiva/redback-security.properties" config-at="org.apache.archiva.redback"/> </configuration> ]]> </value> </property> </bean>