archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Qian, Yi" <>
Subject Re: LDAP - Users are authenticated but not actually logged in
Date Wed, 28 Sep 2011 15:12:56 GMT
Yes, it is maven question, but it relates to Archiva and here is our use
case - We set up our Archiva repository and use it as the proxy, the
developer only get the depend jar from maven repository if our Archiva
repository does not have it.

In order to access this Archiva repository through Eclipse maven plugin,
the developer has to add this settings.xml in their local .m2 folder to
include username/password pair.

This leaves some weak points
1. Even Archiva accepts encrypted username/password, it is very clear to
the attacker where to find the credentials, since we are using single sign
on, it might lead the attacker to gain full access to other resources.
2. Every time, the developer changes the password in LDAP, they have to
update this settings.xml to gain access to Archiva through eclipse maven

We are looking for using LDAP authentication and successfully experimented
in test environment, but due to above concern, also there is no critical
data on our Archiva server, we end up not using LDAP authentication, but
if your solution can ease the first concern, we are glad to go ahead
implement LDAP authentication.


On 9/28/11 9:38 AM, "Tomas R" <> wrote:

>On Wed, Sep 28, 2011 at 5:11 PM, Qian, Yi <> wrote:
>> Hello
>> Could you share how to handle the username/password in settings.xml in
>> user .m2/ folder?
>> Yi
>What exactly do you want to know? This is more of a Maven question [1].

View raw message