archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomas R <>
Subject Re: LDAP - Users are authenticated but not actually logged in
Date Wed, 28 Sep 2011 15:47:29 GMT
On Wed, Sep 28, 2011 at 6:12 PM, Qian, Yi <> wrote:

> Yes, it is maven question, but it relates to Archiva and here is our use
> case - We set up our Archiva repository and use it as the proxy, the
> developer only get the depend jar from maven repository if our Archiva
> repository does not have it.
> In order to access this Archiva repository through Eclipse maven plugin,
> the developer has to add this settings.xml in their local .m2 folder to
> include username/password pair.
> This leaves some weak points
> 1. Even Archiva accepts encrypted username/password, it is very clear to
> the attacker where to find the credentials, since we are using single sign
> on, it might lead the attacker to gain full access to other resources.
> 2. Every time, the developer changes the password in LDAP, they have to
> update this settings.xml to gain access to Archiva through eclipse maven
> plugin.
> We are looking for using LDAP authentication and successfully experimented
> in test environment, but due to above concern, also there is no critical
> data on our Archiva server, we end up not using LDAP authentication, but
> if your solution can ease the first concern, we are glad to go ahead
> implement LDAP authentication.
> Yi

Unfortunately we could not find any better solution than storing encrypted
password in local settings.xml file.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message