Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 1.3.0-rc-1
    • Fix Version/s: 2.0.0
    • Component/s: Security
    • Labels:
      None

      Description

      Problem Statement

      Artifactory supports securing repositories through the use of username/password authentication. This is achieved through an internal database of users and/or an LDAP authentication provider.

      When Artifactory is configured to require username/password authentication, the developer's Maven settings.xml must include the username/password used for the authentication. These credentials are stored in plain text.

      This is very undesirable as the idea of storing LDAP credentials in plain text on a computer's hard drive.

      settings.xml

      <settings>
        <servers>
          <server>
            <id>artifactory</id>
            <username>johndoe</username>
            <password>my-ldap-password</password>
          </server>
        </servers>
        <mirrors>
          <mirror>
            <id>artifactory</id>
            <mirrorOf>*</mirrorOf>
            <url>http://maven.mycompany.com/artifactory/repo</url>
            <name>Artifactory</name>
          </mirror>
        </mirrors>
      </settings>
      

      As can be seen in this settings.xml, the users password is stored in plain text.

      New Feature Request

      This new feature request is to allow storing the password in an encrypted form in the settings.xml file. This requires changes to the Artifactory Web UI, and Security framework.

      The basic concept is to allow an admin user the ability (via Web UI) to set a secret key value (javax.crypto.SecretKey) to be used for encrypting users passwords.

      Once the secret key has been set, the normal user would use the Web UI to input his password and then generate the encrypted (Triple DES?) version of the password. The user would then cut-and-paste the encrypted string into the settings.xml file.

      Example:
      Plain Text Password: my-password
      Encrypted Password:

      {3DES}FlpN4GyRYT5h2YU/yJXT2g==

      The encrypted password is output as a Base64-encoded string prefixed with the encryption algorithm used.

      settings.xml
      
      

      <settings>
      ...
      <server>
      <id>artifactory</id>
      <username>johndoe</username>
      <password>{3DES}

      FlpN4GyRYT5h2YU/yJXT2g==</password>
      </server>
      ...
      </settings>

      
      

      Now when Artifactory receives a request with the encrypted password, a custom authenticator (org.acegisecurity.providers.ldap.authenticator.BindAuthenticator) checks the password string for the existence of the encryption prefix. If the password string starts with the prefix, the password is decrypted before being passed to the authenticate method, otherwise the password is used as-is. This will support the use of plain-text and encrypted passwords by simply checking the known prefix (

      {3DES}

      ).

      I believe that this feature is very desirable and will give Artifactory an edge over other Maven Repository Managers as many of us in the corporate world need the ability to secure our Artifactory servers without storing our domain passwords in un-secure flat files.

      I know this feature is achievable as I have implemented this in a modified version of Artifactory 1.2.5u1 within my company. Unfortunately my company has very strict policies pertaining to releasing code and therefore I cannot release any code to the open source community. However, I can be contacted to discuss the ideas described here without violating any of my company policies.

        Attachments

          Activity

            People

            • Assignee:
              yoavl Yoav Landman
              Reporter:
              patrickcrocker Patrick Crocker
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: