Continuum Security Configuration

Security properties and password rules can be configured in the security.properties file, which by default is searched for in:

  • ~/.m2/security.properties
  • $CONTINUUM_HOME/conf/security.properties

(In the list above, ~ is the home directory of the user who is running Continuum, and $CONTINUUM_HOME is the directory where Continuum is installed, such as /opt/continuum-1.2.)

Following are some of the properties you can modify. For a complete list, consult the default properties file in Redback's svn repo: config-defaults.properties

# Security Policies
#security.policy.password.encoder=
security.policy.password.previous.count=6
security.policy.password.expiration.days=90
security.policy.allowed.login.attempt=3

# Password Rules
security.policy.password.rule.alphanumeric.enabled=false
security.policy.password.rule.alphacount.enabled=true
security.policy.password.rule.alphacount.minimum=1
security.policy.password.rule.characterlength.enabled=true
security.policy.password.rule.characterlength.minimum=1
security.policy.password.rule.characterlength.maximum=8
security.policy.password.rule.musthave.enabled=true
security.policy.password.rule.numericalcount.enabled=true
security.policy.password.rule.numericalcount.minimum=1
security.policy.password.rule.reuse.enabled=true
security.policy.password.rule.nowhitespace.enabled=true

Note: If installed standalone, Continuum's list of configuration files is itself configurable, and can be found in: $CONTINUUM_HOME/apps/continuum/webapp/WEB-INF/classes/META-INF/plexus/application.xml

Additional CSRF Prevention

To help prevent cross-site request forgery, it is possible to enable a basic check that the referrer is the current site.

Note: This is only a generic solution that may prevent some types of attacks but not others. It may cause problems with certain user agents. By default, the check is off.

To enable the check, change the following configuration value in the struts.xml file in the WEB-INF/classes directory of the web application (2 locations):

<interceptor-ref name="redbackSecureActions">
  <param name="enableReferrerCheck">false</param>
</interceptor-ref>