Using the latest version?
JFrog Container Registry Guide

Skip to end of metadata
Go to start of metadata


JFrog Container Registry's security model offers protection at several levels. It allows you to do the following:

  • Assign role-based or user-based permissions to areas in your repositories (called Permission Targets)
  • Allow sub-administrators for Permission Targets
  • Configure LDAP out-of-the-box
  • Inspect security definitions for a single artifact or folder and more.

JFrog Container Registry's security is based on Spring Security and can be extended and customized.

This section explains the strong security aspects and controls offered by JFrog Container Registry.

General Configuration

JFrog Container Registry provides several system-wide settings to control access to different resources. These are found under Security | General in the Administration tab.

Page Contents


Allow Anonymous Access

JFrog Container Registry provides a detailed and flexible permission-based system to control users' access to different features and artifacts.

However, JFrog Container Registry also supports the concept of "Anonymous Access" which controls the features and artifacts available to a user who has not logged in.

This is done through an "Anonymous User" which comes built-in to JFrog Container Registry with a default set of permissions.

Anonymous access may be switched on or off (default) using the Allow Anonymous Access setting under Security General Settings in the Administration module.

You can modify the set of permissions assigned to the "Anonymous User" just like you would for any other user, and this requires that Allow Anonymous Access is enabled.

Allow Basic Read of Build Related Info

This setting gives all users view permissions to published modules for all builds in the system. This is regardless of any specific permissions applied to a particular build. And only applies to anonymous users if the "Apply on Anonymous Access" is enabled.

Hide Existence of Unauthorized Resources

When a user tries to access a resource for which he is not authorized, JFrog Container Registry's default behavior is to indicate that the resource exists but is protected.

For example, an anonymous request will result in a request for authentication (401), and a request by an unauthorized authenticated user will simply be denied (403).

You can configure JFrog Container Registry to return a 404 (instead of 403) - Not Found response in these cases by setting Hide Existence of Unauthorized Resources under Security | General in the Administration module.

Password Encryption Policy

JFrog Container Registry provides a unique solution to support encrypted passwords through the Password Encryption Policy setting as follows:

JFrog Container Registry can receive requests with an encrypted password but will also accept requests with a non-encrypted password (default)
JFrog Container Registry requires an encrypted password for every authenticated request
JFrog Container Registry will reject requests with encrypted password

For more details on why JFrog Container Registry allows you to enforce password encryption please refer to Centrally Secure Passwords

User Lock and Login Suspension

User account locking and temporary login suspension are two mechanisms employed by JFrog Container Registry to prevent identity theft via brute force attack.

Temporary Login Suspension

Temporary login suspension means that when a login attempt fails due to incorrect authentication credentials being used, JFrog Container Registry will temporarily suspend that user's account for a brief period of time during which JFrog Container Registry ignores additional login attempts. If login attempts fail repeatedly, JFrog Container Registry will increase the suspension period each time until it reaches a maximum of 5 seconds. 

User Account Locking

In addition to temporary login suspension, you can configure JFrog Container Registry to lock a user's account after a specified number of failed login attempts. This is enabled by checking "Lock User After Exceeding Max Failed Login Attempts", and specifying the Max Failed Login Attempts field. Users who get locked out of their account because they have exceeded the maximum number of failed login attempts allowed (as specified in Max Failed Login Attempts) must have an administrator access to unlock their account. 

Unlocking User Accounts

An JFrog Container Registry administrator can unlock all locked-out users using the "Unlock All Users" button under Security General Configuration screen where user locking is configured. An administrator can also unlock a specific user or a group of users in the Security Module under User Management.

Through the REST API, an administrator can unlock a Single User, or a group of users

Password Expiration Policy

JFrog Container Registry lets an admin user enforce a password expiration policy that forces all users to change their passwords at regular intervals. When the password expiration policy is enforced, users who do not within the specified time interval will be locked out of their accounts until they change their password.

Password expiration policy

Enable Password Expiration Policy
When checked, password expiration policy is enabled.
Password Expires Every (Days)
Specifies how frequently all users must change their password.
Send Mail Notification Before Password Expiration
When checked, users receive an email notification a few days before their password expires.
Force Password Expiration For All Users
Forces all passwords to expire. All users will have to change their password at next login.

Managing API Keys

As an admin user, you can revoke all the API keys currently defined in the system under Security | General Security Configuration in the Administration module. 

To revoke all API keys in the system, click "Remove API Keys for All Users".

To revoke a specific user's API key, navigate to Administration module >> Security | Users and select the relevant user to edit . Once in the edit screen one of the available actions is "Revoke API key"

Once you revoke an API key, any REST API calls using that API key will no longer work. The user will have to create new API key and update any scripts that use it.

Passwords Encryption

Different configuration files in JFrog Container Registry may include password information stored in plain text. 

To keep passwords secure, you may choose to encrypt them as described in JFrog Container Registry Key Encryption

CSRF Protection

JFrog Container Registry can prevent CSRF attacks by using a new custom header, X-Requested-With, for internal UI calls. This feature may require modification to your proxy server (if you are using one) to make sure the proxy does not filter out this header. 

The CSRF Protection is enabled by default and cannot be disabled. 


Hardening Security for Secrets

JFrog Container Registry uses a set of encrypted parameters (secrets) used to connect to external resources such as the different databases it uses. While these secrets may be stored in the JFrog Container Registry configuration file, this poses a risk of their being exposed.

To keep secrets safe from exposure, you may pre-load secrets from a temporary file when you startup JFrog Container Registry. Once JFrog Container Registry has read and successfully used the secrets, the file is deleted.

The snippet below shows an example of the parameters you could include in this temporary file. These are the parameters JFrog Container Registry uses to connect to a PostgreSQL database.


While we recommend only including sensitive information such as encrypted connection strings, this file may contain any of the database configuration parameters, and any parameters specified (including environment variables and system properties) will override the corresponding ones in the database configuration file.

To load parameters using this mechanism, place them in the following temporary file before your startup JFrog Container Registry:


Execute on every restart of JFrog Container Registry

Since the temporary file is deleted when JFrog Container Registry starts, you need to replace the temporary file each time you restart JFrog Container Registry.

  • No labels