Using Artifactory 6.x ?
JFrog Artifactory 6.x User Guide
Still using Artifactory 4.x ?
JFrog Artifactory 4.x User Guide
Have a question? Want to report an issue? Contact JFrog support
Artifactory provides a detailed and flexible permission-based system to control users' access to different features and artifacts.
However, Artifactory also supports the concept of "Anonymous Access" which controls the features and artifacts available to a user who has not logged in.
This is done through an "Anonymous User" which comes built-in to Artifactory with a default set of permissions.
Anonymous access may be switched on (default) or off using the Allow Anonymous Access setting under Security General Settings in the Administration module.
You can modify the set of permissions assigned to the "Anonymous User" just like you would for any other user, and this requires that Allow Anonymous Access is enabled.
This setting gives you more control over anonymous access, and allows you to prevent anonymous users from accessing the Build module where all information related to builds is found, even when anonymous access is enabled.
When a user tries to access a resource for which he is not authorized, Artifactory's default behavior is to indicate that the resource exists but is protected.
For example, an anonymous request will result in a request for authentication (401), and a request by an unauthorized authenticated user will simply be denied (403).
You can configure Artifactory to return a 404 (instead of 403) - Not Found response in these cases by setting Hide Existence of Unauthorized Resources under Security | General in the Administration module.
Artifactory provides a unique solution to support encrypted passwords through the Password Encryption Policy setting as follows:
|Artifactory can receive requests with an encrypted password but will also accept requests with a non-encrypted password (default)|
|Artifactory requires an encrypted password for every authenticated request|
|Artifactory will reject requests with encrypted password|
For more details on why Artifactory allows you to enforce password encryption please refer to Centrally Secure Passwords.
User account locking and temporary login suspension are two mechanisms employed by Artifactory to prevent identity theft via brute force attack.
Temporary login suspension means that when a login attempt fails due to incorrect authentication credentials being used, Artifactory will temporarily suspend that user's account for a brief period of time during which Artifactory ignores additional login attempts. If login attempts fail repeatedly, Artifactory will increase the suspension period each time until it reaches a maximum of 5 seconds.
In addition to temporary login suspension, you can configure Artifactory to lock a user's account after a specified number of failed login attempts. This is enabled by checking "Lock User After Exceeding Max Failed Login Attempts", and specifying the Max Failed Login Attempts field. Users who get locked out of their account because they have exceeded the maximum number of failed login attempts allowed (as specified in Max Failed Login Attempts) must have an administrator access to unlock their account.
An Artifactory administrator can unlock all locked-out users using the "Unlock All Users" button under Security General Configuration screen where user locking is configured. An administrator can also unlock a specific user or a group of users in the Security Module under User Management.
Artifactory lets an admin user enforce a password expiration policy that forces all users to change their passwords at regular intervals. When the password expiration policy is enforced, users who do not within the specified time interval will be locked out of their accounts until they change their password.
Enable Password Expiration Policy
|When checked, password expiration policy is enabled.|
Password Expires Every (Days)
|Specifies how frequently all users must change their password.|
Send Mail Notification Before Password Expiration
|When checked, users receive an email notification a few days before their password expires.|
Force Password Expiration For All Users
|Forces all passwords to expire. All users will have to change their password at next login.|
As an admin user, you can revoke all the API keys currently defined in the system under Security | General in the Administration module.
To revoke all API keys in the system, click "Remove API Keys for All Users".
To revoke a specific user's API key, navigate to Administration module >> Security | Users and select the relevant user to edit . Once in the edit screen one of the available actions is "Revoke API key"
Once you revoke an API key, any REST API calls using that API key will no longer work. The user will have to create new API key and update any scripts that use it.
Different configuration files in Artifactory may include password information stored in plain text.
To keep passwords secure, you may choose to encrypt them as described in Artifactory Key Encryption.
From version 5.11, CSRF Protection was introduced but was disabled by default.
From version 6.0, Artifactory can prevent CSRF attacks by using a new custom header,
X-Requested-With, for internal UI calls. This feature is enabled by default since it may require modification to your proxy server (if you are using one) to make sure the proxy does not filter out this header. This feature can be disabled by modifying a system property and restarting Artifactory.
To disable CSRF protection, add the
artifactory.csrf.filter.enabled = false flag in the
artifactory.system.properties file under the
$ARTIFACTORY_HOME/etc folder and restart Artifactory to apply the change.